“Human beings adjust behavior based on the metrics they’re held against. Anything you measure will impel a person to optimize his score on that metric. What you measure is what you’ll get. Period.” – Dan Ariely, Duke University behavioral economist in Harvard Business Review When the Verizon Data Breach Investigation Report started reporting “time to” metrics …

“Human beings adjust behavior based on the metrics they’re held against. Anything you measure will impel a person to optimize his score on that metric. What you measure is what you’ll get. Period.” – Dan Ariely, Duke University behavioral economist in Harvard Business Review

When the Verizon Data Breach Investigation Report started reporting “time to” metrics around 2013 (time to detect, time to contain, time to remediate), most security operations managers started to monitor their own team’s performance against these stats. That’s not a bad thing – I’ve certainly touted these numbers in my posts before. They help assess workloads and justify investment.

However, as managers, we need to add another lens to emphasize efficiency AND effectiveness.

Closing cases (time to contain, time to remediate) without getting to root cause is like chopping off the arm of the starfish – the arm will likely grow back and may come back bigger and nastier.

Why care about root cause?

Root cause is the secret to returning to a healthy state. Getting to root cause means you identify how the attacker got in, which systems provided cover, which credentials were abused, and how they manipulated system, countermeasure, and application software to hide their tracks. When you push investigations to the point of root cause analysis, you are more likely to fully scope the attacker’s activities and excise them from your estate. If you don’t get to root cause, an attacker may retain a foothold, ready to reactivate after you have reimaged the host or blocked an IP address and claimed “case closed.” That lingering presence means you still risk damage, as well as repeated cleanup costs.

In Disrupting the Disruptors, Art or Science?, we researched threat hunting practices in security operations centers. Time to close is an important stat, and the most mature orgs are closing faster than anyone else, by a huge margin. Mature orgs were 2 times more likely to close cases within a day than the merely innovative, and closer to three times more likely to close within a day than the SOCs just getting started. (For details on the maturity definitions and other findings, download the free report.)

Leaders close, with higher confidence the incident won’t recur

But – there’s another very important metric that clearly isn’t being rewarded as aggressively, or the numbers would be better, per the behavioral psychologists who say you get what you measure. The most advanced threat hunting organizations are winning on time to close AND aggressively uncovering root cause. Hunters at the minimal level typically determine the cause of just 20-30% of attacks, compared to leading hunters’ digging in to find 70% or more.

Net net: the leading SOCs are closing more cases faster AND getting to root cause most of the time – performing far better than their peer groups. As an industry, let’s start to measure both of these goals to increase overall cybersecurity health.

For insights on how leading SOCs are achieving these results, such as advanced use of automation and sandboxing, read the report.

A recent McAfee blog ‘Malware Packers Use Tricks to Avoid Analysis, Detection’, highlighted the use of packers as an effective way to slow down analysis and decrease detection by antimalware products. As an engineer with a keen interest in malware, I’m very familiar with packers and the conclusion from that blog that ‘manual analysis usually …

As an engineer with a keen interest in malware, I’m very familiar with packers and the conclusion from that blog that ‘manual analysis usually defeats .’ Manual analysis can take time. Something that seems to be in short supply as of late. I’ve found a McAfee product – McAfee Advanced Threat Defense (ATD)- that takes care of the packing problem for me, saving lots time and a few headaches too.

Let me explain: First, what’s a packer?

A packer, is a tool that can be utilized to compress, encrypt, or modify the format of a file. By packing a file, malware authors can obfuscate the content and disrupt analysis by threat detection tools. This technique may also be referred as “executable compression.” Compression of the file reduces the footprint or size of the file and can be an effective method to avoid or reduce the chance of the malicious file being detected, allowing for successful delivery of a payload. While an effective method, forcing the re-execution of code through a memory dump provides a solution to detect even the most advanced threats. So how is this accomplished? McAfee ATD provides an answer to detecting the most advanced and obfuscated code in packed or unpacked files.

When a packed sample arrives at McAfee ATD for analysis, the sample is loaded into memory and the packer associated with the sample unpacks the code, de-obfuscating the code during execution. At this point, several advanced detection engines are engaged, including dynamic analysis (observation of execution) and static code analysis (where the code – not just the behavior it exhibited in the sandbox – is scrutinized for any malicious behavior). After the sample has finished execution, McAfee ATD assesses the memory dump and maps the code. As sections of code are analyzed, family classification is performed on the buffered code based on known malicious behavior. Once the assessment of behavioral characteristics of the code is completed, a determination on whether the file is clean or malicious yields a reputation verdict. Quick. Easy. Done.

As mentioned in the previous blog, a rather effective method for defeating a packer is to manually analyze the file. McAfee ATD can help with that as well. McAfee ATD offers manual analysis capabilities with its interactive mode, or X-Mode. Manually uploading a file to a McAfee ATD appliance and enabling the X-Mode feature will allow users to choose their specified analysis environment or virtual machine (VM) to initiate the execution of a file. As the file is uploaded through this route, a user may open a window to the active VM denotating the file to observe and interact with the malware. This provides a deep investigative and forensic capability for a malware analyst to understand the behavior of the executed code.

A packer can prove to be an effective way to reduce the speed of analysis and even avoid it all together. With packed files that could typically fly under the radar undetected by traditional sandbox solutions, McAfee ATD provides ways to overcome this advanced method of detection avoidance from malware authors.

In this year’s Radicati APT Protection—Market Quadrant, McAfee Advanced Threat Defense attained a position in the Top Players quadrant for the third year running. The Radicati report assesses advanced persistent threat (APT) solutions from major security vendors and places them in its quadrant based on the depth and breadth of product functionality and strategic vision. …

The Radicati report assesses advanced persistent threat (APT) solutions from major security vendors and places them in its quadrant based on the depth and breadth of product functionality and strategic vision. Top Players are typically market leaders that shape the industry through their technology innovations and understanding of market forces.

McAfee Advanced Threat Defense landed its position in the Radicati quadrant because of its ability to detect complex, sophisticated threats and to connect with other security components and turn threat information into action and protection.

Reporting and outputs, including the ability to share indicators of compromise (IoCs) for targeted investigations.

The overall breadth of protection provided by the McAfee product portfolio—from endpoints to desktops to servers.

Additional detection engines, such as signatures, reputation, and real-time emulation, that accelerate analysis.

The centralized analysis device acts as a shared resource among multiple McAfee devices.

Tight integration with all McAfee solutions and third-party partner products, whether directly or through the McAfee Data Exchange Layer communications fabric. This enables real-time information sharing across the entire security ecosystem when attacks and malware are detected.

Application of DLP technology is applied in-line to traffic by way of integration with McAfee Web Gateway.

In addition to the endpoint and network operational efforts for WannaCry, this outbreak presents great learning and response opportunities for analysts in the security operations center (SOC). Understanding and automating these best practices will set you up to handle evolving WannaCry activities, as well as the next fast-moving attack. Responding to an attack like WannaCry, …

In addition to the endpoint and network operational efforts for WannaCry, this outbreak presents great learning and response opportunities for analysts in the security operations center (SOC). Understanding and automating these best practices will set you up to handle evolving WannaCry activities, as well as the next fast-moving attack.

Responding to an attack like WannaCry, the SOC must answer three key questions:

1. First Question – Am I affected?

The first process for a SOC is to assess what you have already experienced and gain current situational awareness. This evaluation can come from reports on endpoint and network security events related to the attack, from within the malware, and from the SIEM. In the McAfee ecosystem, here is what you can do:

Report on Endpoint events. McAfee ePolicy Orchestrator can report out events based on the signatures it has downloaded from McAfee Global Threat Intelligence.

Conduct Malware analysis. Sandboxing systems like McAfee Advanced Threat Defense can generate reports on unknown variants and share in machine-readable form as a STIX file.

Perform Automated searching. Leveraging integrations provided by McAfee, IOC data from sandboxes and other sources can be used to immediately mine endpoints (via McAfee Active Response) and the SIEM database (via McAfee Enterprise Security Manager) for related activity. If an event containing an IOC is present in the SIEM database, it can indicate other hosts that are in the process of being locked, hosts connecting to malicious IP addresses or domains related to WannaCry, and related indicators that your own hunters may want to pursue as part of their containment efforts.

Perform Manual IOC searches. Other sources of intelligence, such as external CERT notices, can also be used for ad hoc searching using McAfee Active Response.

Multi-engine analysis by McAfee Advanced Threat Defense shows the scope of malicious behavior in a WannaCry

2. Second Question – Is there new activity?

Proactive analysis and hunting using analytics and intelligence allows SOC staff to be on constant vigil for activity related to known WannaCry behaviors, and trigger an action – from active quarantine to a policy-driven scan to an email or SMS alert to drive incident responders. Here’s what you can do in the McAfee ecosystem:

Enable Analytics-driven monitoring of events and behaviors. IOCs ingested by the SIEM can populate a watchlist for ongoing, forward-looking monitoring for new occurrences. In addition, endpoint trace data sent by McAfee Active Response is being monitored in the cloud for behaviors that are indications of WannaCry activities (persistence, stealth, recon, self protection, data stolen, signal infection).

Enhance Human investigations. The Active Response threat workspace presents endpoint event findings from the cloud in a dynamic dashboard that can help you drill down and explore event relationships. Similarly, SIEM shows new events in the context of the overall estate, including user context, network flow data, and more.

Conduct Manual IOC searches. In the case of WannaCry, indicators of compromise (IOCs) are publicly available from several sources, including the US CERT. So in addition to the discoveries within your environment shared by your internal sandbox, you should also be consuming and evaluating these other third party intelligence sources to get the most complete picture of known WannaCry behaviors. When new intelligence emerges from third party or local sources, these can trigger ad hoc searching using McAfee Active Response.

3. Final Question – Am I maintaining protection?

Many tools today can be updated with new IOCs and signature and policy-driven updates and actions. This video of OpenDXL and a threat intelligence platform show one way that this process can be managed. McAfee ePolicy Orchestrator integrations can take action on a variety of endpoint systems, including Security Innovation Alliance integrated partners.

Rapidly spreading malware like WannaCry should be a further spur to SOC teams to improve their access to and use of the intelligence so readily available today. The good news for SOC staff is that many functions that should be performed can be automated, freeing you to do the investigation and extrapolation that only humans can drive. For ideas, please check out these blogs on automation and threat hunting.

Today everyone is talking about security automation. However, what are the right processes and actions to automate safely? What are the right processes and actions to automate that will actually achieve some security outcome, such as improving sec ops efficiency or reducing attacker dwell time? Just look in the latest industry report and you will …

Today everyone is talking about security automation. However, what are the right processes and actions to automate safely? What are the right processes and actions to automate that will actually achieve some security outcome, such as improving sec ops efficiency or reducing attacker dwell time? Just look in the latest industry report and you will find a statistic about how long attackers linger in a network without detection. It’s getting better, but the average is still heavily in favor of the attacker.

One of the reasons why attackers are so successful at maintaining persistence is that most organizations struggle to make effective use of threat intelligence. Making effective use means taking the volumes of threat intelligence data, primarily technical Indicators of Compromise (IOCs), hunting for affected systems with those IOCs, and then adapting countermeasures to contain the incident or just update protection. These critical tasks, collecting and validating intelligence, performing triage, and adapting cyber defenses to contain incident must be automated if we ever want to get ahead of the attackers.

McAfee’s Intelligent Security Operations solution automates many key threat hunting tasks. In this solution, McAfee Advanced Threat Defense (ATD), a malware analytic system, produces the local IOCs based on malware submissions from the endpoint and network sensors. It automatically shares the new intelligence with McAfee Enterprise Security Manager (ESM) for automated historical analysis, with the McAfee Active Response component of McAfee Endpoint Threat Defense and Response (ETDR) for real time endpoint analysis, and with McAfee Threat Intelligence Exchange (TIE) for automated containment at the endpoint or network.

However, wouldn’t it be great if we could automate hunting and incident containment for all threat intelligence, not just file hashes? We can expand the capability of the Intelligent Security Operations solution to handle more intelligence and automate more incident response tasks using the power of OpenDXL.

Consolidate Threat Intelligence Collection with OpenDXL and MISP

Organizations need threat intelligence from three different sources:

Global intelligence from vendors or large providers

Community Intelligence from closed sources, and

Enterprise, or Local-Produced

Local threat intelligence, typically produced by malware sandboxes, such as McAfee Advanced Threat Defense (ATD), or learned from previous incident investigations, usually relates to attacks targeted at the enterprise and would not be visible through other external intelligence feeds. Large organizations typically consolidate these feeds inside a threat intelligence platform to simplify the management, sharing and processing of the data.

Using OpenDXL, we can more simply push locally-produced intelligence from ATD into threat intelligence platforms, such as Malware Information Sharing Platform (MISP), an open source intelligence sharing platform. Inside MISP, ATD data can be labeled and combined with other sources providing a central repository to operationalize threat intelligence. Using OpenDXL, MISP can then push all threat intelligence-based IOCs to ESM and Active Response for further triage and out to firewalls, proxies, endpoints and other cyber defense tools for automated containment.

Full IOC Hunting with ESM, Active Response and OpenDXL

One of the best ways to reduce attacker dwell time is to use threat intelligence to hunt for compromised systems in the enterprise with ESM and Active Response. With threat intelligence centrally collected in MISP, we can automate historical analysis using the existing back trace feature in ESM. Using OpenDXL integration with MISP, we can also hunt on all the IOCs and send the results back to ESM or Kibana. This expands the capability of the original solution fully automating the hunting process with both historical and real time searches for all IOCs, not just local intelligence.

Automated Incident Containment with OpenDXL

If a system is found to be comprised, the next task is to contain and update defenses as fast as possible. When it comes to updating cyber defense countermeasures, such as firewalls or web proxy, internal procedures or business silos can slow response. For example, sending a ticket to the firewall team or service provider to block a command-and-control IP address or domain could take hours even in mature organizations. These silos slow down incident response and increase attackers’ dwell time.

With OpenDXL integration with MISP, we can reduce dwell time by pushing all indicators, not just file hashes, out to network and endpoint countermeasures. With OpenDXL integration with MISP, indicators such as command-and-control IP addresses, malicious URLs or domains, and file hashes can be automatically shared with the McAfee Dynamic Endpoint, Network Firewalls such as Force Point or Checkpoint, or Web Proxies such as McAfee Web Gateway. With OpenDXL integration with MISP, we can automate indicator-sharing with any countermeasures on the network or endpoint, to reduce dwell time and better protect your business.

There was a time when automation was a dirty word in security. Now, it is a necessity. A new Enterprise Strategy Group (ESG) survey, sponsored by McAfee and other technology vendors, shows that 3 out of 5 organizations see manual processes as holding them back from better organizational effectiveness when it comes to security analytics …

There was a time when automation was a dirty word in security. Now, it is a necessity. A new Enterprise Strategy Group (ESG) survey, sponsored by McAfee and other technology vendors, shows that 3 out of 5 organizations see manual processes as holding them back from better organizational effectiveness when it comes to security analytics and operations. My rule of thumb is: The third time you do the same thing, automate it. That doesn’t mean automating actions like wiping a system or rebooting, but it does mean you get the machines to do the easy work. Automation can mean setting a policy, defining an alarm or quarantine based on a trigger, defining a correlation rule to make the same review decision you had been doing and then setting an alarm or creating a watchlist, or using a script to package and forward data. Any of these approaches is easily implemented with today’s technology.

A case in point – the findings also show that the #1 priority for automation and/or orchestration is integrating external threat intelligence with internal security data collection and analysis. That capability is entirely automated today with the McAfee Enterprise Security Manager. You can consume IOCs and mine your database to see if they are already part of your environment, generating alarms for any matches, and also set a watch in case these IOCs enter your infrastructure in the future. The watchlist can also implement an action you define – from simple alarm to active quarantine. Check out this video to see for yourself.

To unleash creativity, my middle school art teacher occasionally offered up all the painting, woodcarving, pottery, and collage resources in the studio, with no guidelines or constraints other than our imaginations and the available class time. The results ranged from the mundane to the inspired. I carved a 3D lobster. (Sadly, no picture survives, but …

To unleash creativity, my middle school art teacher occasionally offered up all the painting, woodcarving, pottery, and collage resources in the studio, with no guidelines or constraints other than our imaginations and the available class time. The results ranged from the mundane to the inspired. I carved a 3D lobster. (Sadly, no picture survives, but let’s pretend it is as wonderful as the one here carved by Ryousuke Ohtake).

OpenDXL as a Blank Canvas

As an open source integration framework, OpenDXL is like that art studio. Creative security analysts and developers can use the OpenDXL SDK (libraries, classes, and helper classes), the python client, and code examples on github to express their own ideas and activate their APIs. They can build everything from simple productivity boosters to sophisticated conditional workstreams.

Unfortunately, unlike the art classroom, OpenDXL projects aren’t easily visible. So, we at McAfee created a virtual studio, a contest to see what our sales engineers would create with OpenDXL. [We also captured some examples in our new Idea Guide, downloadable here.]

One of the first contest submissions, now published to github.com/opendxl-community, helps solve the age-old malware analysis dilemma: how many sandboxes are enough?

Simple POCs with high value

Jesse Netz, a sales engineer on the East Coast, used OpenDXL to integrate the open source Cuckoo sandbox and the Palo Alto Networks Wildfire sandbox with the DXL messaging fabric and the McAfee Advanced Threat Defense sandbox. These integrations can help enterprises get more value out of their existing resources and share the latest threat data for the fastest detection of emerging threats.

A Cuckoo sandbox can pull changing malware file reputations maintained by the McAfee Threat Intelligence Exchange and include these reputations in its processing as well as the Cuckoo report. TIE provides visibility into the local prevalence of the file, helping the analyst understand how widespread an infection might be. In addition, customers who have the McAfee Advanced Threat Defense sandbox would see the ATD verdicts appear within the Cuckoo report, enriching the Cuckoo details about what the sample did while executing.

DXL-integrated applications can use a lightweight DXL interface (service wrapper) instead of the Cuckoo APIs to access Cuckoo sandbox details (socket connections, registry writes, etc.) from anywhere, on-network or off-network. For this integration, Jesse reused a reference example provided in the OpenDXL SDK, the ePO API service wrapper.

Wildfire verdicts update McAfee Threat Intelligence Exchange’s reputation database with new scores. Any application that listens to TIE reputation scores will get the updated information without having to integrate directly with Wildfire, and can immediately inoculate its systems by blocking the newly identified malware. This example converts verdicts to TIE reputations.

Done in Hours, Not Weeks

The three integrations took a total of about 30 hours, with the hardest part being learning each third party API. Once he had done the first OpenDXL integration, the subsequent ones were much easier. Without OpenDXL’s support for SSL, Authentication, and Authorization, Jesse estimates these integrations would have taken at least twice as long. Now, others don’t need to invest the time learning the Cuckoo and Wildfire APIs and doing point-to-point integrations; they can just leverage OpenDXL topics and Jesse’s new service wrapper.

Looking ahead, Jesse is considering his next OpenDXL development, but we won’t know until he formally submits it to the programming contest. In the meantime, please stay tuned to github.com/opendxl-community for more examples, and fuel your own projects with the new Idea Book.

If you’ve read our previous blog, “Leveraging UEBA Capabilities in Your Existing SIEM,” you understand how McAfee Enterprise Security Manager can perform many essential UEBA functions leveraging its built-in advanced analytics and behavior modeling. Doing It Better Together For several specific use cases, you may find that you need a third-party UEBA product. Fortunately, through …

Doing It Better Together

For several specific use cases, you may find that you need a third-party UEBA product. Fortunately, through the McAfee ecosystem approach to security, you can integrate UEBA solutions from other vendors for expanded visibility of McAfee Enterprise Security Manager’s user monitoring and analytics. Such tight integrations with McAfee Enterprise Security Manager optimize security operations by:

Enabling enhanced reporting, visibility, and management. Data collected by the UEBA solution can be sent to the McAfee Enterprise Security Manager reporting engine, which can then create visualizations of that information and synthesize it within its existing operational reports, dashboards, and workflows.

Targeted attacks: It quickly surfaces attack paths as they unfold, including malware that propagates laterally.

Healthcare compliance: Policy violations and risky user behaviors are identified by monitoring users, files, applications, and all types of medical and computing devices.

UEBA solution integrations with both the McAfee Enterprise Security Manager SIEM solution and the McAfee Data Exchange Layer threat intelligence sharing fabric can identify indicators of attack and feed those back into the SIEM to facilitate threat hunting. False positives are minimized, and analysts can focus on high-priority actionable items. In effect, these integrations create a closed-loop system, with continuous interaction between the products. Integration with McAfee Data Exchange Layer enables and accelerates communication of threat intelligence across multiple security solutions. This can dramatically speed detection and remediation across the entire enterprise security ecosystem, supporting the entire threat lifecycle.

In a previous blog, “How to Gain a Competitive Advantage with an Integrated Approach to Security,” we’ve shown you how adding an advanced threat analysis technology to a large enterprise security ecosystem is contributing to its success both operationally and from a business perspective. This time, we’ll step through the technical details of how to …

This time, we’ll step through the technical details of how to combat unknown malware in a typical enterprise environment. Let’s look at a company that has just gone through an acquisition. As a result of the acquisition, employees are being required to use many new applications. One of the employees clicks a link in an email for an application that appeared legitimate but is, in fact, malicious and installs a keylogger that captures users’ keystrokes.

Here’s how the McAfee integrated ecosystem approach to security rapidly responds to unknown files of this kind and prevents them from executing and doing damage across the organization.

Step 1:

McAfee Threat Intelligence Exchange discovers the keylogger on endpoints and blocks the file from executing. The Threat Intelligence Exchange client then queries the McAfee Threat Intelligence Exchange server on file reputation and simultaneously queries McAfee Global Threat Intelligence, which gathers file reputation intelligence from millions of sensors all over the world. The file is cached on the server while McAfee Threat Intelligence Exchange checks its blacklist and whitelist. After this query-response process, McAfee Threat Intelligence can update the reputation as “good” or “bad.” However, in this case, the file is unknown and requires further analysis.

Step 2:

Through REST API, McAfee Threat Intelligence communicates with McAfee Advanced Threat Defense, where the unknown file is sent for further analysis via sandboxing. McAfee Advanced Threat Defense spins up a virtual machine (VM) to detonate the file via dynamic analysis, which enables examination of any malicious behavior. At the same time, McAfee Advanced Threat Defense will perform static code analysis by unpacking the file and reverse engineering the code, allowing comparison to known malware families leveraging code reuse and identifying any potentially malicious code. Obfuscated and metamorphic code, which can be highly evasive, can be unveiled through the combination of dynamic and static code analysis. If any malicious intent is identified, McAfee Advanced Threat Defense then convicts the file and updates the reputation, applying a high-severity rating, in this case. This process reveals several indicators of compromise (IoCs) about the file: it attempts to bypass security controls, it installs a keylogger, and it makes connections to risky websites. The file is then sent back to the McAfee Threat Intelligence Exchange server, which updates its local repository and any integrated vector from endpoint to network. McAfee Advanced Threat Defense will also publish IoCs across the McAfee Data Exchange Layer (McAfee DXL), to any subscriber.

Step 3:

McAfee Data Exchange Layer, which enables sharing of threat information across McAfee security components and third-party security products, publishes these IoCs for ingestion by other solutions in the environment.

Step 4:

McAfee Data Exchange Layer will publish IoCs generated from McAfee Advanced Threat Defense to the security information and event management system (SIEM), McAfee Enterprise Security Manager. The SIEM then aggregates the IoCs and correlates these events. For example, it can do historic investigation, looking into its archives of networks or systems to find evidence of this malware and correlate these IoCs with other events. If it finds that systems have connected to malicious URLs associated with the keylogger, it can send out additional alerts so that remediation can be applied. Once the correlation has been done, McAfee Endpoint Threat Defense and Response uses its automated search capability to get access to this information and generates a URL that will open up the McAfee ePolicy Orchestrator (McAfee ePO) management console where McAfee Active Response is housed, and the pivot to remediation can take place.

Step 5:

Since the malware has a high-severity rating, McAfee Enterprise Security Manager triggers an alert, which enables the administrator to take remediation actions, such as killing the process or removing the file—along with any trace files—from the affected machines.

This use case illustrates the value of a unified architecture, where collaboration of all your security components can dramatically improve security operation response and efficiency, reduce threat dwell time, and increase your capacity to handle security events. In a recent McAfee survey, 70% of participants believe that this approach results in reduction of manual efforts through integrated workflows and automation and 65% believe it provides more effective triage automation.

Watch our video, and see the power of McAfee integration and intelligence sharing in action: “Defeat the Grey.”

For more than a decade, in response to higher volumes of alerts, security information and event monitoring (SIEM) became an integral component of enterprise security programs. However, the increasing sophistication and complexity of attacks are driving the need for advanced analytics—beyond the log aggregation of older SIEM solutions. Security analytics, which uses Big Data technologies, …

For more than a decade, in response to higher volumes of alerts, security information and event monitoring (SIEM) became an integral component of enterprise security programs. However, the increasing sophistication and complexity of attacks are driving the need for advanced analytics—beyond the log aggregation of older SIEM solutions. Security analytics, which uses Big Data technologies, has emerged to fill in the gaps.

In its recent report, “Security Analytics Team of Rivals,” consulting firm Securosis contends that security analytics solutions provide maximum value when integrated with advanced SIEM solutions and vice versa. One is not a replacement for the other, nor should they be viewed as competing solutions.

Most enterprises have had a SIEM in place for a number of years. Its main strengths include: data aggregation, correlation, forensics and incident response, and reporting. The data sets that are generally handled best by a SIEM are network data, endpoint activity, server and data logs and change control activity, identity data, application logs, and threat intelligence feeds.

One thing that some SIEMs struggle with is finding patterns in large volumes of data. Security analytics solutions, on the other hand, are intentionally designed to crunch through SIEM’s huge data sets, looking for indicators of malicious activity, such as anomalous patterns of activity, misconfiguration, or privilege escalation. The integrated solutions are particularly good at advanced threat detection and tracing insider attacks.

How do you benefit from integrating analytics solutions with your SIEM? For one thing, today’s security analytics solutions don’t allow you to search for an alert and then set in motion an incident response process—SIEMs handle that job and lend themselves well to easy and comprehensive threat activity visualizations and reporting. There are two key integration points where you’ll find the combination invaluable:

Automated Data Analysis: SIEMs have been proficient at collecting and aggregating data for a long time. In order to extract this data for further analysis, ensure that your integration of SIEM and security analytics has sufficiently robust automated processes. This can save an enormous amount of time.

Alert Prioritization: Both your SIEM and your security analytics tools will create and send out alerts. Bi-directional information sharing between the SIEM and security analytics solutions is essential so that your team can prioritize investigative actions and maintain context.

Let’s look at a scenario where SIEM and security analytics can complement one another to detect what appears to be an advanced insider attack. In this use case, the security team of a fast-growing retail operation receives an alert from its SIEM solution. It appears that an insider is probing the internal network, which is highly unusual activity for an employee. For a more complete picture of the situation, the team accesses its integrated SIEM and security analytics solution for additional insights on what the adversary is up to. The integrated investigation reveals several types of unusual activity—like privilege escalations and configuration changes on multiple devices. The SIEM reports the trajectory of the attacker, which results in compromise of the device that triggered the alert in the first place, and this enables smarter and faster remediation.

Simply adding an advanced threat analysis technology to your security stack can expand detection and solve some immediate security issues. But thinking beyond standalone detection to an integrated ecosystem can not only improve detection and protection throughout your organization, it can also enhance your business by optimizing security operations response time, giving you a competitive …

Simply adding an advanced threat analysis technology to your security stack can expand detection and solve some immediate security issues. But thinking beyond standalone detection to an integrated ecosystem can not only improve detection and protection throughout your organization, it can also enhance your business by optimizing security operations response time, giving you a competitive edge.

Vidant’s information security director, Kirk Davis, explains that prior to adopting this solution, his team was on “alert overload” and experienced long delays in receiving information about threat activity. The McAfee solution answered the need for a security decision support platform that would allow the information services group to spend most of their time enabling growth, innovation, and delivery of patient-centered services, such managing and tracking rounds by medical staff, protecting electronic health records, and streamlining clinical workflows.

Just days after the brief deployment period, Davis was seeing results from the solution. The SIEM component, McAfee Enterprise Security Manager, dramatically increased visibility into security events and suspicious files detected and convicted by dynamic and static analysis technologies used by McAfee Advanced Threat Defense.

Tight integration and automation greatly reduce the time from detection to protection and correction across the entire organization. As Davis suggests, “Being able to have that immediate visibility to threats and being able to guard against them without any human intervention really allows us to focus on our core business, which, believe it or not, is not running down malicious code.”

According to Davis, implementation of the integrated solution resulted in a positive ROI in just six months. For example, Vidant and its care partners no longer experience costly losses in productivity and operational expense associated with the amount of time and effort spent combating evasive and complex threats like CryptoWall ransomware.

Vidant has derived significant business value from the open and collaborative approach to security enabled by McAfee solutions. With greater visibility to potential threats, this approach empowers security operations teams to act swiftly, optimizing response and efficiency. For Vidant, automated and coordinated security is essential. “If we want to have information services as a competitive advantage, we need to make sure we know exactly how to package and scale our infrastructure, security, and support services as we grow,” says Davis. And, as he can tell you, McAfee integrations have already contributed to his organization’s success.

To learn more about how an integrated ecosystem like the one implemented by Vidant can help you combat unknown malware, watch our video, “Defeat the Grey.”

User and entity behavior analytics (UEBA) uses advanced analytics to track and flag suspicious behaviors of both users and assets, such as networked assets, sensors, databases, devices, and hosts. There are many reasons why UEBA is gaining traction as both an integrated tool with SIEM as well as a standalone solution. A few include: Increasing …

User and entity behavior analytics (UEBA) uses advanced analytics to track and flag suspicious behaviors of both users and assets, such as networked assets, sensors, databases, devices, and hosts.
There are many reasons why UEBA is gaining traction as both an integrated tool with SIEM as well as a standalone solution. A few include:

The need to add additional context to SIEM and orchestration systems for more effective continuous monitoring, detection, and remediation.

Some SIEM vendors, like McAfee, not only deliver integrations with UEBA solutions, but also already include UEBA capabilities in their products. McAfee Enterprise Security Manager employs a combination of intelligent anomaly detection and user and entity specific rules, along with other correlation models, to perform many UEBA functions efficiently and effectively—right out of the box!

McAfee Enterprise Security Manager factors in anomalous behavior—including user activities—as part of its continuous monitoring and incident prioritization. User behaviors are incorporated into calculations of security and risk to help security teams identify and prioritize security events. Some of the user behaviors that McAfee Enterprise Security Manager detects as unusual activities include: creation of new accounts or account lockouts, possible data exfiltration behaviors (emailing sensitive data outside the network), an increase in traffic to business applications, and events like late-night logins from unexpected locations or simultaneous remote logins to multiple locations.

Security professionals agree that speed and accuracy is of the essence when it comes to detecting, analyzing, and triaging threats. McAfee Enterprise Security Manager addresses this requirement by using multiple types of correlations to gather, parse, and process the user behavior data it receives.

An additional component of the McAfee SIEM solution is the McAfee Advanced Correlation Engine, which is purpose-built to analyze huge volumes of data without impacting your SIEM’s performance. It performs four types of correlation—rule-based, risk-based, standard deviation, and historical—for a real-time look at threats initiated by users against high-value assets and sensitive data.

Share your perspective and help benchmark the industry. [And SANS will enter you to win a $400 Amazon gift card!] This is the 4th year that McAfee has co-sponsored the SANS Incident Response survey. We would appreciate your help capturing this year’s insights by completing this survey: https://www.surveymonkey.com/r/2017SANSIRSurvey Past survey findings have helped us understand …

Share your perspective and help benchmark the industry. [And SANS will enter you to win a $400 Amazon gift card!] This is the 4th year that McAfee has co-sponsored the SANS Incident Response survey. We would appreciate your help capturing this year’s insights by completing this survey: https://www.surveymonkey.com/r/2017SANSIRSurvey

Past survey findings have helped us understand key trends such as the hurdles holding back success, the evolution of SOC maturity, the data being targeted, use of automation, and priority investments for improving results. This market is changing quickly, and surveys are an excellent way to benchmark your experience against your peers and identify opportunities. Whether you want to commiserate or collaborate, data makes the conversation more compelling.

Below are two of my favorite charts from last year’s survey, with my prognostications for this year’s survey. I’ll review my predictions after the 2017 survey is published and grade myself!

What’s causing the breaches?

Malware will continue to dominate given malware’s contribution to so many phases of so many forms of attack, and the ubiquity of toolkits and tool sharing as well as ransomware.

Access—oriented attacks (unauthorized, insider breach, privilege escalation, and data breach) should remain a top concern, and cloud services and shadow IT should continue to make these attacks both likely and challenging. Silver bullets like UBA won’t change this dynamic much.

Network-based attacks will continue to decline as the formal perimeter focuses on the data center rather than the entire enterprise estate.

I’m curious if insider breach will show an uptick rather than continued decline, as it has been trending higher in industry conversations recently.

How well are we automating our remediation?

Last year’s data showed a (to me) disappointing degree of manual remediation still, despite the availability of simple automation for basic remediation processes through assorted tools. But this year I think (and other surveys validate) that the industry has turned the corner and is actively pursuing “safe” automation. I certainly expect to see greater adoption of automation as we attempt to survive the expanding range and volume of incidents.

Automated quarantine (the top response) or taking offline are totally in scope for automation today. I’d like to see a big jump in the use of automation there. Identifying similar systems, removing malicious artifacts without rebuilding the machine, and updating policies and rules are also easily done now. Here’s hoping we see all of these make a big shift to automation.

These two data sets are from 2016. As reference, here are all of the previous surveys:

Superheroes are part of the lore of American culture — the thought of human-being acquiring superhuman power such as flight, invisibility, breathing underwater has always been intriguing to many. The thought of speed and agility is one of those sets of powers that has caught a lot of attention — the ability to transcend time …

Superheroes are part of the lore of American culture — the thought of human-being acquiring superhuman power such as flight, invisibility, breathing underwater has always been intriguing to many. The thought of speed and agility is one of those sets of powers that has caught a lot of attention — the ability to transcend time and achieve a goal such as getting somebody out of the way of a speeding bullet. One particular superhero is The Flash. His ability to move rapidly has amazing advantages that ultimately can protect against disaster. It’s time to adapt our cyber security abilities to be more like The Flash.

Enter the days of Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL), which do exactly that for the threat landscape: provide a new approach to producing a different outcome.

So many of us are living the in the past regarding how we have implemented security technologies. It’s imperative that we start to focus our time on the unknown to shrink the gap between malicious and safe. Moreover, the way to change security outcomes is by changing the fundamental ways technologies interact no matter their manufacturing origin. Let’s face it we’re tired and we need automation.

Many of us are still leveraging anti-virus signatures, which are important, and some of us leverage cloud detection plus signatures, but it’s still a basic approach. Signatures reflect a point in time and only address what is known. It’s a challenge to know every piece of malware and keep up signatures for each one. About 10 years ago, McAfee Labs would get about 20 or so new and unique pieces of malware a day – truly never been seen before. Fast forward 10 years and we see about 500,000 new pieces of malware a day. It’s time to automate and collaborate.

We are accustomed to the process of submitting malicious code to McAfee Labs, which can be time-consuming. While waiting for a response the business isn’t protected. The malware is able to replicate itself and perhaps move laterally.

Here’s the general process that many of us use day to day –

Hunt to find the infected endpoint

Capture the malicious code

Submit the malicious code to McAfee Labs.

Now we wait for a response. This could take a long time – 48 hours in some cases, depending on the complexity of the code.

McAfee Labs distributes and Extra.DAT to the customer.

The Extra.DAT is deployed to the environment over time.

Next, a full scan of the endpoints would be done across the environment (hoping that the malicious code was eradicated and wasn’t polymorphic).

If polymorphic – go back to #1 and start over.

Reimage the endpoint and move on.

There is hope, however! Advancements in architecture are enabling businesses to derive context out of every new file as it emerges in the environment. For example, a new file is downloaded that invokes the endpoint and network controls to work together to understand the file. What is it? Why is it packed a certain way? What is its source? These simple questions, if not answered in a way that says “Safe,” will trigger an automated workflow. They start to correlate and analyze the file. The process checks public and private threat intelligence, leverages a sandbox, and collaborates with other security controls.

The sum of the security controls working together obtains a “composite reputation,” meaning many security controls will work together to establish the true reputation of the file. Even if there is no signature, the file can still be eradicated from the architecture. No more long drawn-out process. How does that sound?

Enter the age of the Threat Intelligence Exchange (TIE). In the TIE scenario, the architecture can quickly use many sources of information to answer the question of good or bad, safe or malicious. If there are no local detection capabilities such as a signature in a DAT, a workflow is invoked that works to solve the problem. The composite score is an aggregation of the engines working together to score the unknown file as good or bad. By obtaining the score in this manner TIE is writing a signature on the fly with little chance of error. This eradicates the file and socializes it to all countermeasures in the architecture that are listening for updates on DXL – a simple connection fabric that provides a secure, real-time way to unite data and actions across multiple applications from different vendors as well as your own.

Now the kicker – the whole process may seem like this takes a long time. In fact, this process happens in seconds. This is the speed and agility that is needed. This solves the issue of the large increase in malicious code that we see every day. The days of automation are here, thanks to TIE and DXL. Together, they too warrant the name “The Flash.”

Here are some questions to consider –

Are you approaching anti-malware with the same approach?

Are you using any 3rd parties to help with detection?

Is your organization accustomed to just re-imaging an endpoint and moving on? What is that cost to you?

For the average security analyst, it’s no secret that their days are overloaded with more “hair on fire” moments than “Zen” moments. The 2016 SANS Incident Response Survey paints a clear and sobering picture of the demands being placed on security analysts. The survey lists, in order, the following impediments to effective incident response: Lack …

For the average security analyst, it’s no secret that their days are overloaded with more “hair on fire” moments than “Zen” moments.

The 2016 SANS Incident Response Survey paints a clear and sobering picture of the demands being placed on security analysts. The survey lists, in order, the following impediments to effective incident response:

Lack of staffing and proper skills

Not enough visibility across systems and domains

Lack of budget for needed tools or technology

Processes and owners not clearly defined

Organizational siloes

Difficulties in detecting sophisticated attacks

All of the above results in:

Further weight on your analyst’s shoulders

Too much dwell time in mean-time-to-remediate (MTTR)

So we get it. You’ve got too many unknowns, not enough relevant insight, and functions and technologies tripping over each other trying to help sort out what is really going on! Your analysts need a technology security partner to help detect, investigate and remediate today’s never-ending threat sources.

As the threats and responsibilities have expanded, the role of the security information and event management (SIEM) solution has morphed into one of the greatest assets an analyst has, becoming the Swiss Army Knife of incident response and orchestration. Further, you reach to your SIEM for advanced analytics including user and behavior analysis, real-time monitoring, and data and application monitoring. The problem, as Barbara Kay outlines in her blog, “Eating an Elephant: How the ESM 10 UX team reenergized SecOps,” is the amount of information that the average analyst has to retain as she or he swivels from incident response, to advanced threat management, to user monitoring.

So as your SOC makes the move to more proactive threat management and predictive, contextual analysis and orchestration, we’re evolving McAfee Enterprise Security Manager (ESM) to reduce the cognitive strain, and guide and automate more of the routine tasks, such as watchlist management, incident tracking and advanced correlation rule set-up, so that you can focus on the critical decision-making responsibilities. McAfee ESM 10.0 is an important step in that evolution.

As more changes are rolled out, we want to make it easier for you to find the information you need and to stay informed. So we are providing some new communications tools for you beginning this month.

The new McAfee Enterprise Security Manager (SIEM) Information Center is a one-stop site for answers to both common and unusual SIEM challenges.

We have heard from customer surveys and from calls to McAfee Support Services that you need more guidance on where to go for more information. So we have responded with a new SIEM Information Center page – your one-stop shop for all things SIEM. On this page, you’ll find the latest and greatest advice from our SIEM subject matter experts, as well as access to shared wisdom from our SIEM user community. To make such invaluable content easier to find, we are categorizing all of our SIEM content according to the commonly recognized SIEM capability categories and use cases that our customers reference. Bookmark this page and check it frequently for updates.

As a member of our McAfee ESM user community, you will be interested in the McAfee SIEM Focus newsletter that debuts this month. For those of you who subscribe to the McAfee Support Notification Service, you know how valuable and timely the ProTips, Weekly Roundup, and monthly SNS Digest emails can be. Because of the fast-moving and complex environment in which security analysts and other SIEM users operate, we want to provide you with a dedicated newsletter featuring practical use cases, demonstrations, and other in-depth, roll-up-your-sleeves examples of how to get the most from the McAfee ESM solution. Subscribe now so you don’t miss a single issue.

Finally, don’t miss out on the action on our SIEM Community site. We encourage you to sign up and participate with our 219 active users. We are all learning from each other. Join today, stay connected and discover for yourself how Together is Power.

Those who have experienced them know how scary their world becomes when a grass fire or forest fire gets out of control. As these fires become more intense, they create their own weather, generating their own winds, making them more difficult to fight and often moving far faster than firefighters can. The outcome is often …

Those who have experienced them know how scary their world becomes when a grass fire or forest fire gets out of control. As these fires become more intense, they create their own weather, generating their own winds, making them more difficult to fight and often moving far faster than firefighters can. The outcome is often a huge loss of property and frequently, a significant loss of lives, both animal, and human. As temperatures continue to rise, as we experience longer and longer periods of drought, these fires are becoming more and more frequent and more severe.

Local, state and federal agencies have come together to address these frequent events and the disasters they cause. They are looking at strategies to be more prepared, to respond more quickly and to be more effective. They can’t afford all the resources they need, and even if they could, they’d need an improved infrastructure to deploy and manage these resources. They know they need all the manpower and equipment they can find but just as important, they know that communications, coordination, and cooperation are absolutely essential to their success.

Isn’t this the same problem one faces in fighting cybercrime? Malicious activity is occurring all the time, and it’s difficult to know immediately when the event happens, where it takes place, what it’s doing, what’s at risk. You also have purchased and deployed many tools to assist in the fight. However, it still takes too much time and too many resources just to identify what’s happening. Once you have, it still makes take costly minutes, hours or days to identify and implement a plan to kill the exploit and its ability to steal your valuable data, causing loss of PCI, PII, financial data or IP or its ability to impact your operations or ability to conduct business.

Over the past 15 years, McAfee has continued to be laser focused on providing our customers with an enterprise-ready infrastructure or framework to protect their connected world. We began with ePO over 15 years ago. It was the very first product to be able to deploy, configure and manage security solutions for over 100,000 systems. We added functionality to put new protections in place over the years: Host IPS, Web Protection, Whitelisting, Change Control, File Integrity Management, Encryption, Device Control, Data Loss Prevention and more. This framework was, by far, the most effective solution in the market and helped to improve security and drive down the cost of security operations.

However, just like we’ve seen the impact of climate change on strategies required to fight fires, today’s threat landscape also requires new strategies. To that end, we’ve taken a very hard look at today’s requirements and are now delivering solutions/technologies that are far more comprehensive, along with a new framework that allows for real-time visibility to our infrastructures and the ability to respond in real time. We’ve introduced new solutions, including Advanced Threat Defense (ATD), Dynamic Access Control (DAC) and Real Protect to improve our ability to detect new threats and protect your users and systems. And with the introduction of the Data Exchange Layer (DXL) and the Threat Intelligence Exchange (TIE), we not only have the ability to know what’s happening in real time, but we have the intelligence to analyze the data and automate the real-time prevention of attacks. Today, McAfee solutions will detect issues and take action on a very high percentage of advanced threats, leaving your valuable resources time to address the most difficult issues. With the introduction of McAfee Active Response (MAR), we provide our customers with the ability to perform extensive forensics as well.

These new tools are allowing McAfee users to significantly improve their effectiveness and efficiency, greatly improving their time to identification and resolution of issues and driving down their cost of operations.

A courtesy shout out to my colleagues in Northern California for this critical thinking – Thank you Bruce, Brook & Mike.

The second of a two-part series. In the previous post in this series, we described how re-creating the user experience for overburdened SOC analysts was a task like “eating an elephant.” To help analysts who are constrained by time and cognitive overload, we needed a vision, a strategy and a plan to “save time and …

In the previous post in this series, we described how re-creating the user experience for overburdened SOC analysts was a task like “eating an elephant.” To help analysts who are constrained by time and cognitive overload, we needed a vision, a strategy and a plan to “save time and save mental energy.”

After extensive, in-depth interviews with users, we realized that the majority of user time is spent in analysis and research. This finding drove our plan. We focused first on the analysts and the workflows and workspaces where they spend the majority of their time.

Now you can see the results in ESM 10.0. The user experience team recommends these 3 things to appreciate first:

Quick start: you will find that the organization simplifies building and navigating relationships, so you can create views and get started without reading manuals (although we still recommend looking at the ESM expert center!). The most commonly used views appear together by default, and help you make use of associated content packs and their views, dashboards, rules, and alerts (including correct placement of related updates to keep you organized). While the donut visualizations will help you identify trends and pursue relationships, the right clicks help you navigate to next steps. And, if you are a current user, you can import existing views from within the console to bring forward your preferred processes and organizational knowledge.

Analysts can manage several tabs active at once, enabling them to toggle back and forth to pursue different tasks. This means less holding of information in your memory and less repetition, including defining complex searches.

Centralized, dynamic workspaces: Multiple tabs within the same dashboard pane organize parallel exploration of ideas. The analyst can simultaneously drill down and filter through different lenses of the data without losing context and state or re-applying searches and filters. With several tabs active at once, you can toggle back and forth to pursue different tasks, or within a task, collect and guide analysis or research hypotheses. This means less holding of information in your memory and less repetition, including defining complex searches. Further, a majority of our configuration, advanced settings, and set up tools now live in panels that slide in to the side of the dashboard instead of popping up in a window in front of the dashboard. This allows users to stay in context with their current investigation (stay in the same mental “room”) while they adjust settings in the various tools. In addition, the context menus mean that right clicking on a specific item—such as a field on a record within a table chart—will provide the user with quick access to actions specific to that field.

ESM 10.0 features directed search to help users quickly navigate to desired content without remembering folder structures or even the exact names of things.

Directed search: Detecting signal from the noise means filtering and searching through alerts and events, and avoiding the distraction of unneeded data. The new advanced search and filter organization includes auto-complete to help guide users to find or choose from relevant associations quickly, rather than needing to know what choices are appropriate to the data or investigation type. Auto-complete simplifies device selection, view management, queries, and filters, to name a few, as the user quickly navigates to the content they desire, without having to remember exactly where it resides within the folder structure of these tools. For example, we prompt for the best visualization options for each search result type to quickly filter and customize data. As you navigate, the process creates bindings that you can save for later. You can then take quick actions on data points, such as creating watchlists and case management, by accessing right-click contextual menus. Synthesizing all these workflow steps into a single place helps the right thing happen, consistently, with less effort, repetition, and time. Our improved search also means you do not need to be a software developer to extract insights quickly.

Each of the above examples reduces clock time and conserves mental energy. They are small steps in our larger plan to help you conquer that other elephant, the elephant in the room: security operations efficiency. See for yourself by downloading the new version now.

The first of a two-part series For some reason, elephants figure frequently in our conversations – “seeing different parts of the elephant”, “memory like an elephant,” and now, “eating an elephant.” This phrase, definitely meant as an analogy, expresses the lengthy, enormous, and daunting task that our development team faced in reimagining the user experience …

For some reason, elephants figure frequently in our conversations – “seeing different parts of the elephant”, “memory like an elephant,” and now, “eating an elephant.” This phrase, definitely meant as an analogy, expresses the lengthy, enormous, and daunting task that our development team faced in reimagining the user experience in our McAfee Enterprise Security Manager (ESM) SIEM solution. To succeed, they needed a vision, strategy, and plan.

The new ESM 10.0 user interface has been designed to reduce cognitive strain – providing content in context as the user goes about tasks

First, a vision. In the last few years, driven by increasingly complex incidents, the security operations mantra has shifted to real-time analysis coupled with individual and team efficiency. Countless research studies document the shortage of skilled security analysts and researchers. Time clearly needed to be a part of the vision.

But for the user experience team, productivity isn’t just about elapsed time. It also includes the cognitive workload that can subtly wear down and exhaust the analyst. You probably experience cognitive overload today. You walk from the kitchen into the bedroom and stand there wondering why you came in. This is true when we move between physical rooms, and it’s true when we move between virtual rooms, such as in a video game or user interface. In this context switch, it turns out we are 2-3 times more likely to forget! And it gets worse. This memory lapse is aggravated if you are sleep deprived or over-stressed, like new parents, air traffic controllers, and security analysts.

Once we hit our cognitive threshold, we have only emotion to fall back on. So the typical analyst has faulty memory plus frustration. This combination makes for poor security decisions. It is why we design for “high context” UIs. We are striving for one room with all the relevant data so the analyst can focus on making good decisions.

From a design perspective, here are some specific cognitive workload tests:

The “data fragmentation” load: How much data does the user have to keep in his memory as he changes screens, modes, and tasks, or retain over a series of tasks?

The “navigation” burden: How many times does the user traverse up and down task flows and screens in pursuit of a task?

The “mind-numbing” factor: How many times does that task need to be repeated per hour/day/week?

The “clutter” factor: How much data is displayed all at once? How hard is it to identify and navigate relationships?

Instead of simply looking at faster functioning of the same processes, we wanted to reduce the cognitive burden of the user – to keep them as effective as possible for as many hours of their day as possible. This “save time, save mental energy” approach formed the core of our vision. Our logic was this: Anything we could do to improve their productivity and enhance concentration would pay off in speed of results, capacity of analysts, and quality of life for them and their management team.

This illustrates the complexity of SIEM, showing first and second level nodes in the ESM 9.X user interface.

Next, a strategy. As the epicenter of security operations, a SIEM is a complex animal, and the UI and user design can mask or multiply this complexity. The graphic gives you an idea of the scope of this effort, the first and second level nodes in the ESM 9.X user interface. Every node has multiple screens under it.

Lots to do, clearly, but where could we best affect time spent? After dozens of site visits and in-depth, interactive usage interviews, we discovered more than half of the users were security operations, and another 29% were Infrastructure Operations. Given these day-to-day jobs, the majority of user time is spent in analysis and research.

In the second part of this series, we’ll continue the user experience journey with the ESM 10.0 UX design team as they build out the plan for the new ESM 10.0 solution.

]]>https://securingtomorrow.mcafee.com/business/optimize-operations/eating-elephant-esm-10-ux-team-reenergized-secops/feed/0Change, embrace it – Why you need to change the way you look at securityhttps://securingtomorrow.mcafee.com/business/optimize-operations/change-embrace-need-change-way-look-security/
https://securingtomorrow.mcafee.com/business/optimize-operations/change-embrace-need-change-way-look-security/#respondTue, 21 Feb 2017 14:00:13 +0000https://securingtomorrow.mcafee.com/?p=69052

Change. “There is a time appointed for everything and a time for every purpose—” Imagine trying to change a cowboy wagon to upgrade its performance to make it comparable to a Ferrari? Crazy right? We’d never try right? Because the wagon has a fundamentally different architecture and was built for a different purpose. So merely upgrading the …

Change. “There is a time appointed for everything and a time for every purpose—”

Imagine trying to change a cowboy wagon to upgrade its performance to make it comparable to a Ferrari? Crazy right? We’d never try right? Because the wagon has a fundamentally different architecture and was built for a different purpose. So merely upgrading the engine (for example) obviously would not work. Yet, this is what we often set out to do in cyber security.

Change at RSA Conference 2017

The major security vendors are back and they are drawing a line in the sand. A line between legacy security strategies and new. It is becoming clear that some major vendors are undertaking a strategy of, “don’t buy your security tools from 50 different vendors.”

This concept is old, and is based on fairly solid market research that most large entities do not use a homogeneous security tool-set. However entities suffer from this diverse tool-set “problem” because the cyber security industry created it. Specifically, for every new threat, we spin up a new product (often nowadays a whole startup). These products / startups try to solve today’s problem, for tomorrow’s problem…rinse and repeat.

Maybe thought leadership says we need to help our clients extract maximum value out of all their (often times widely diverse) security tools not just the ones from brand-x. Because of this the age old idea of competing on everything from detection methodology to actual threat information is a dying paradigm.

Change in crime

If one thing is obvious it’s that in cyber security change is constant. It is noteworthy that long ago, in 2011 Interpol stated for the first time that the costs of cyber crime had overtaken the combined costs of illicit sales of marijuana, cocaine and heroin.

Consequently, did existing criminal organizations, who for ages had built infrastructure to support narcotics sale, human trafficking and other forms of crime stagnate? No, they changed. Rather now, Interpol states, those same organizations are thriving organized cyber crime businesses.

Change our approach

First and foremost a partner needs to show the intellectual honesty to admit what they can and cannot do for your security. This is why I message passionately around the need to help our clients build effective security infrastructures. Additionally, rather than a bunch of diverse tools, I try to point clients to the value of a connected and orchestrated bunch of diverse tools. As a result the choice becomes less best of breed vs. integrated and more your tools: integrated. This change in approach allows us to measurably increase security effectiveness. Additionally, we improve efficiency, improving time to protect / remediate. Most of all security stops being an impediment to the business’ primary objectives and changes into a facilitator.

Next steps

First re-assess your security approach today, determine a baseline (current state) then implement methods to measure the results of every action you take.

Challenge any vendor to show how their product(s) will add a measurable improvement to your security baseline.

Furthermore demand that your vendors position solutions, not products. Does the tool you’re considering stand on it’s own, or does will it become an integral part of your security?

Finally, ensure that you benefit at multiple infrastructural layers with every new threat that is detected regardless of detection tool. Why? Because:

“Strategic planning is the key to warfare; to win, you need shared intelligence from multiple sources.”

A fast-forward button for integration to a unified security architecture. One of the reasons why the Mission Impossible premise has resonated across the generations is that all of us, at one time or another, are handed projects that seem to come with that label. Unfortunately, if you’re like me, you feel more like Wile. E. …

A fast-forward button for integration to a unified security architecture.

One of the reasons why the Mission Impossible premise has resonated across the generations is that all of us, at one time or another, are handed projects that seem to come with that label. Unfortunately, if you’re like me, you feel more like Wile. E. Coyote holding that bomb as it explodes, rather than the cool Tom Cruise or unflappable Peter Graves if you are an old-school fan.

It seems I am always searching for the magical fast-forward button or time machine that allows me to bend the laws of time and physics to defuse the bomb and save the day.

Impossible? Maybe not always. Consider the following scenario:

The architect for ALPHA, which is merging with another company, ZED, is trying to sort through and integrate ZED’s application software and data with ALPHA’s systems to create a unified security operations environment. In 60 days, the security infrastructure has to be 1) functional 2) compliant 3) reliable. And of course, the analysts won’t tolerate any visible change –such as slower performance, loss of features, and longer wait times for searches, reports, or visualizations.

Our hero has figured out which data and applications to keep and connect. In some cases systems will run side by side, before eventually replacing one system with another – some of Zed’s software is more modern and capable than ALPHA’s, and both companies have some existing (legacy) software that can’t be shut down anytime soon because of compliance or mission-critical functions. So our hero knows which assets he cares about. Now he has to make it all talk together. In 60 days.

One day, our hero, is blissfully sipping tea while researching integrations from his key vendors, looking for APIs and scripting options. Suddenly, the CISO comes in with an update from the board meeting: Accelerate the merger’s close by 30 days, because the timing is helping the competition disrupt deals. That means he has to get the integrations done in half the time. Our hero needs a fast forward button for the plan.

Now the bomb is ticking down. There’s no peace in the architect’s cube. The “to do” list of integrations looks way too long. Precious few of the commercial vendors offer the necessary integrations off the shelf, and he can’t believe how few publish APIs or scripting frameworks for self-service. Open source would help, but that code requires validation and testing. How the heck is he going to pull this off? 16 hour days?

Our scene advances as the CISO checks back in the next morning. While the architect was caffeinating for a long day of writing custom integrations, the manager was breakfasting with a CISO for a health care provider. That CISO was talking about the rollercoaster of the last few years, with one merger per year. But they had found a time machine. Last year, her team used OpenDXL to integrate the two companies’ applications and had great results. OpenDXL Python scripts connected all the apps to a common application framework. This approach made it easier to add apps and data sources as they matured their requirements, and also to insulate systems from direct dependencies. This abstraction gave them more flexibility to distribute and evolve the underlying systems as well. It was the best merger experience they’d had in 5 years, and the CISO felt ready to handle whatever the Board dealt out next with aplomb.

The architect was already googling for “OpenDXL”. Even if the story were only half true, it had to be worth a shot. On GitHub.com/opendxl lay a treasure trove of integration examples, free downloads, and test software for integrating applications. A link to mcafee.com/dxl showed that several of the company’s targeted applications and vendors were already integrated with DXL. Best of all, an architecture guide for best practices showed how to integrate applications through OpenDXL. The integration to do list was looking shorter and more realistic by the minute.

Fast forward. It’s 30 days later, and our hero has made it. Systems running, compliance audits passed, uptime goals met. Whew. And an unexpected benefit – because DXL has a real-time data exchange, several of the SecOps team’s tedious serial workflows had gotten FASTER. Maybe the fast forward button was stuck on. That was a technology glitch to get excited about. And when the CISO handed out a bonus check for meeting the date, the day got even better.

If you think about it, the best stories on Mission Impossible were always the ones where the tools to solve the case were already available. It was just a matter of knowing where to look. So what are you waiting for? The clock is ticking…

This week’s McAfee Labs Threats Report: December 2016 revealed the results of a survey gauging the state of the security operations center (SOC). The following is an excerpt from this article. A few years ago, dedicated SOCs seemed to be going the way of the dinosaur—the era of big rooms with big monitors and teams …

A few years ago, dedicated SOCs seemed to be going the way of the dinosaur—the era of big rooms with big monitors and teams of analysts seemed ready to be replaced by distributed teams, outsourced, or disbanded entirely. If you were not in the Defense Department or on Wall Street, many thought, then you did not need a SOC. Then targeted attacks and insider threats moved from movie and government plots to an everyday reality for enterprises. According to an McAfee survey, 68% of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat.

Today, almost all commercial (1,000–5,000 employees) and enterprise (more than 5,000 employees) organizations run some type of SOC, and half of them have had one for more than a year, according to the latest research study from McAfee. As the number of incidents continues to increase, security organizations appear to be maturing and using what they learn to educate and improve prevention in a virtuous cycle. For instance, survey respondents documented their expanding investments in SOCs and attributed an increase in investigations to an improved ability to detect attacks. Those who reported a decline in investigations of incidents attributed this improvement to better protection and processes, which mature organizations perform as the final stage of a security investigation.

These are some of the findings in a primary research study commissioned by McAfee on the current state of security management environments and threat detection capabilities, as well as priority areas for future growth.

Almost nine out of 10 organizations in this study reported that they have an internal or external SOC, although commercial organizations are slightly less likely to have one (84%) compared with enterprises (91%). Smaller organizations in general are implementing SOCs a bit later than enterprises, as only 44% of commercial groups have had one for more than 12 months, whereas 56% of enterprise SOCs have been around for that long. Most SOCs (60%) are currently run internally, with 23% operating a mix of internal and external support, and 17% fully external. For the few that have not established a SOC, only 2% of enterprises have no plans to do so, versus 7% of commercial companies.

Of the 88% of organizations operating a SOC, the majority (56%) reported that they use a multifunction model combining SOC and network operations center (NOC) functionality. Organizations in the United Kingdom (64%) and Germany (63%) are even more likely to operate in this model. Dedicated SOCs are in use by 15% of companies and are more prevalent in the United States (21%). Virtual SOCs are the third model, also used by about 15% of respondents, followed by a distributed or co-managed SOC, at 11%. Only 2% reported operating a command SOC.

This distribution of SOC implementations has several implications. The majority operate at or past the midpoint of SOC maturity, progressing toward the goal of a proactive and optimized security operation. However, more than a quarter (26%) still operate in reactive mode, with ad-hoc approaches to security operations, threat hunting, and incident response. This can significantly extend detection and response times, leaving the business at greater risk of significant damage, as well as facing a higher cleanup cost.

Whether from an increase in attacks or better monitoring capabilities, most companies (67%) reported an increase in security incidents, with 51% saying they have increased a little, and 16% that they have increased a lot. This is analogous to findings from the key topic “Information theft: the who, how, and prevention of data leakage” in the McAfee Labs Threats Report: September 2016. That primary research study found that organizations which watched data more closely for leakage reported more data-loss incidents.

Only 7% overall indicate that incidents have decreased, and the remaining 25% say that they have remained stable over the past year. There was little variance reported by country, but incidents increased as organizations get smaller, possibly indicating that criminals have broadened their attack targets. Only 45% of the largest organizations (more than 20,000 employees) reported an increase, compared with 73% of the smallest (fewer than 5,000 employees).

The small group that reported a decrease in incidents overwhelmingly (96%) believe that this was due to better prevention and processes. Of those who said that incidents increased, the majority feel that it was due to a combination of improved detection capabilities (73%) and more attacks (57%).

Most organizations are overwhelmed by alerts, and 93% are unable to triage all relevant threats. On average, organizations are unable to sufficiently investigate 25% of their alerts, with no significant variation by country or company size. Almost one-quarter (22%) feel that they were lucky to escape with no business impact as a result of not investigating these alerts. The majority (53%) reported only minor impact, but 25% say they have suﬀered moderate or severe business impact as a result of uninvestigated alerts. The largest organizations, perhaps because of their better monitoring capabilities and stable incident levels, are more likely to report no business impact (33%).

For a long time, the threat intelligence landscape could be likened to an archipelago; a collection of islands. There were a few bridges here and there but the various islands remained largely inaccessible. It became clear, however, that in this era of rapidly evolving and advanced threats, we needed to find a way to build …

For a long time, the threat intelligence landscape could be likened to an archipelago; a collection of islands. There were a few bridges here and there but the various islands remained largely inaccessible. It became clear, however, that in this era of rapidly evolving and advanced threats, we needed to find a way to build those bridges, to join the dots and ensure each part of the ‘security archipelago’ is not only connected, but integrated, with open channels of communication.

Well-funded crime organizations have continued to strain the capabilities of traditional security infrastructures, so an approach that allows organizations to draw on all available resources and make more informed and educated decisions is vital.

Security Connected

McAfee introduced the McAfee Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) in response to these challenges. It is a secure communication platform that connects and unites disparate security technologies into a single coordinated system, allowing customers to make smarter security decisions, faster.

Customers can strengthen their threat defenses by drawing upon 3rd party vendor technologies that are integrated into the McAfee platform to optimize their security operations, neutralize emerging threats, fortify critical environments and safeguard data.

In essence, McAfee TIE/DXL ushers in a new era in security where the whole is greater than the sum of its parts. All components come together to work as a single cohesive system, regardless of vendor or underlying architecture.

Avecto, an McAfee Innovation Alliance partner has completed a fully integrated TIE/DXL solution to Avecto Defendpoint. This joint solution gives customers actionable intelligence on application reputation allowing them to drive configuration changes and make risk-based policy adjustments, all helping to create stronger defences against today’s threats. You can learn more about Avecto’s integration with McAfee on a live webinar, Sept 21. Chris Sherman, Analyst at Forrester will present on the Six Pillars of an Effective Endpoint Security Strategy, and hear from Avecto and McAfee on how to deal with the multitude of threats targeting endpoints through a balance of attack surface reduction and threat detection. Register to attend: https://www.brighttalk.com/webcast/1743/221445 .

Learn from cybersecurity expert Peter Stephenson and McAfee’s Michael Leland as they discuss why enterprises are now turning to advanced threat and incident management (ATIM) TTPs that integrate with their SIEM. This continued shift from perimeter-focused, reactive approaches—to continuously monitored, collaborative and proactive methods, leverages analytics and crowdsourced threat feeds, and requires as much focus on the context as the incident. Is your SOC prepared for this next-generation of security operations?

Another Black Hat USA conference has come and gone, but, much like every year, a lot of incredible insights remain. And McAfee was a major contributor to those insights. Our presenting researchers offered several great demonstrations this year, but three sessions stood out particular for their insight into future ransomware scenarios: Enjoy Your Coffee, Pay …

Another Black Hat USA conference has come and gone, but, much like every year, a lot of incredible insights remain. And McAfee was a major contributor to those insights. Our presenting researchers offered several great demonstrations this year, but three sessions stood out particular for their insight into future ransomware scenarios:

Enjoy Your Coffee, Pay Me for Your Business — This session gave a few great examples of just how damaging the combination of ransomware and the Internet of Things can be. For example, our researchers presented attacks ranging from controlling IoT-connected lights (which would flicker until a victim paid a ransom) to using rogue Wi-Fi access points to infect a targeted organization’s smartphones. These infected smartphones could then be used to cripple office systems, networks or hold access to critical files hostage.

Your Home is Hacked… Pay Me! — This yet-to-be-publicly-released session detailed a scenario of how ransomware could affect, and infect, a smart home. Our researchers were able to show how we could identify a vulnerability in a home automation appliance and execute an exploit of the vulnerability — even if it’s been patched — allowing an attacker to plant ransomware or malware on the device. More on that session soon…

I’m Watching You Through Your Car Wi-Fi — Our researched also presented a ransomware scenario for smart cars. Through an exploit targeting auto-entertainment system hubs, our teams were able to show how an attacker could track the location of a targeted car and harass the target-car’s owner through status messages. This, of course, could last until the car owner paid a ransom.

The rise of the Internet of Things (IoT) and ransomware are two of the biggest security stories in years. We’re looking forward to contributing more towards consumer safety in these arenas.

We also announced a few promising partnerships at Black Hat 2016. For example, we’re partnering with CompuCom to help alleviate companies burdened by the cybersecurity skills shortage. To do this, CompuCom is deploying McAfee Enterprise Security Manager as its SIEM tool as a completely cloud hosted and delivered solution. This will enable CompuCom to respond to client needs quickly and inexpensively.

A big hats-off to everyone who helped make Black Hat 2016 a huge success! We certainly learned a lot during our time at one of the largest annual cybersecurity events, and we hope we’ve imparted a lot of valuable cybersecurity information to our session attendees. ‘Till next year!

Today, from Black Hat 2016 in Las Vegas, CompuCom announced the expansion of its Managed Security Services (MSS) through the release of its upgraded Security Information and Event Management (SIEM) services. In my earlier blog, I spoke about the cyberskills shortage and the active role that partners can play in helping to alleviate this problem …

Today, from Black Hat 2016 in Las Vegas, CompuCom announced the expansion of its Managed Security Services (MSS) through the release of its upgraded Security Information and Event Management (SIEM) services. In my earlier blog, I spoke about the cyberskills shortage and the active role that partners can play in helping to alleviate this problem for customers. This is a great example of a partner who is helping enterprise, commercial and small- and medium-sized businesses (SMBs) safely embrace public cloud adoption, enable their employees to use personal devices for company work and leverage the Internet of Things (IoT) to collect and process Big Data.

CompuCom now provides the latest in security event monitoring to identify and halt threats before they become a breach. When combined with its other network, service desk, data center and cloud managed services, the portfolio delivers an exclusive, comprehensive managed IT service that is smarter, safer and more affordable. This helps businesses respond to threats faster, leading to faster remediation times and minimized costs.

To achieve these new capabilities, CompuCom has deployed McAfee Enterprise Security Manager (ESM) as its SIEM tool in a new and exciting way, as a completely cloud hosted and delivered solution. By leveraging a cloud delivered ESM service, CompuCom can respond to our client’s needs in a faster, agile and more cost effective manner.

CompuCom’s SIEM and McAfee’s ESM partnership include:

CompuCom’s SIEM and McAfee’s endpoint, which deliver more security features and functions, including real-time threat management on servers and desktops, virtualized or physical, on premises or in the cloud.

Advanced correlation of events across multiple systems and platforms. Today’s attacks are often coordinated across different vulnerabilities.

CompuCom’s comprehensive Managed Security Service that can be delivered on almost any manufacturer’s endpoint hardware.

For those of you at Black Hat this week, you can stop by McAfee booth #1465 on August 3 at 3:15pm PT for a presentation from Chad Atchley, Cloud Product Director, CompuCom.

How important is a comprehensive, fully integrated security strategy for an enterprise? Just ask Michelle Duprey, Manager of Information Security at Boston Medical Center (BMC). The academic medical center, based in Boston, is the largest safety-net hospital in New England. A business that robust demands a modern security defense. When Duprey first joined the hospital …

How important is a comprehensive, fully integrated security strategy for an enterprise? Just ask Michelle Duprey, Manager of Information Security at Boston Medical Center (BMC). The academic medical center, based in Boston, is the largest safety-net hospital in New England. A business that robust demands a modern security defense.

When Duprey first joined the hospital she faced a security nightmare—an environment of disjointed security applications that didn’t communicate with each other. “We run a lean group, and it was challenging to pull data out of all of those disparate products and turn it into useful information,” she says. When security applications start to work against you instead of with you, it’s time to reevaluate.

“We chose McAfee because we needed a powerful and effective suite that could be managed with a single pane of glass. Not only do the McAfee products work extremely well together, but ePO makes our jobs so much easier. In one console we’re able to see what’s going on with all 10,000 endpoints, and we can push policies out to the entire network in just a few minutes.”

Duprey comments that the powerful TIE/ATD combo gives the team a better picture of endpoint status and where the vulnerabilities are, capabilities that will be strengthened even further with the addition of SIEM. “Now that we’ve consolidated our portfolio around McAfee, we’ll spend the next few years optimizing those technologies and getting to a fluid operational state,” she adds.

Transitioning to McAfee’s integrated security platform grants Boston Medical Center a clearer view of their endpoints and security ecosystem as a whole. Breaking down siloed tools in exchange for centralized solutions provides the hospital the support it needs to supply patients with quality care.

NSS Labs Recommends McAfee NSP NS9100 for Data Center Security That’s the takeaway from NSS Labs’ just-released test report on high-throughput intrusion prevention systems (IPS) for the data center, in which the McAfee Network Security Platform (NSP) NS9100 appliance won a hard-earned “Recommended” rating. This is the fifth time that McAfee NSP has achieved this …

That’s the takeaway from NSS Labs’ just-released test report on high-throughput intrusion prevention systems (IPS) for the data center, in which the McAfee Network Security Platform (NSP) NS9100 appliance won a hard-earned “Recommended” rating. This is the fifth time that McAfee NSP has achieved this level of excellence from NSS Labs for IPS overall. As a combination of blocking, throughput and TCO, McAfee NSP clearly delivers industry leading security for todays and tomorrows Data Center.

Data center applications make unique demands on an IPS system as traffic levels can be significantly higher than at the corporate perimeter. Also, traffic mixes can vary with security strategies, which may prioritize specific servers, protocols, or applications. Latency is also of great concern, as application performance may be adversely affected if an IPS introduces significant delays. While handling the rigors of a physical network is key, one must keep in mind the growing trends of the virtual Data Center. As the only dedicated IPS certified for VMware’s NSX SDN solution, McAfee NSP finds itself as the security platform of choice for growing your physical Data Center into tomorrow’s virtual software defined data center (SDDC).

IPS Testing Criteria

To discover what the current crop of IPS solutions offers data center security teams, NSS Labs tested a cross section of products claiming effective threat blocking and high throughput capabilities. Each system was subjected to a library of server exploits curated for malicious behaviors that range from opening reverse shell, executing arbitrary code, installing a payload, or rendering a system unresponsive. Selection criteria also included evasive tactics such as IP packet fragmentation, stream segmentation, RPC fragmentation, URL obfuscation, and FTP evasion — deployed singly or in layers.

These threats were embedded in multi-Gigabit traffic streams designed to stress the inspection engine and reveal its performance and behavior in a range of real-world operating scenarios. To complete the assessment, NSS Labs investigators also evaluated each IPS for stability and reliability, ease of management and configuration, and total cost of ownership.

The Envelope Please!

Tested with tuned policy settings, the Network Security Platform NS 9100 blocked 99.4 percent of all exploits in the NSS library and effectively detected and countered all of the evasion techniques employed.

Finally, the NS9100 passed all assessments for stability, reliability, configurability and manageability. Based on current street pricing, three-year TCO was calculated at just $12 per protected Mbps of data center traffic.

The NSS Labs Security Value Map (SVM) report is available here. I recommend you read it and hope you’ll join me in a sincere “Well Done” to everyone on the McAfee Network Security Platform product team.

Isn’t it time to invest in a security solution that doesn’t break the bank? One bank offers a textbook case study in corporate data security, since by definition it’s required to safeguard clients’ highly sensitive personal and financial data. This U.S.-based regional commercial bank has undergone a sea of change in its approach to security …

Isn’t it time to invest in a security solution that doesn’t break the bank? One bank offers a textbook case study in corporate data security, since by definition it’s required to safeguard clients’ highly sensitive personal and financial data. This U.S.-based regional commercial bank has undergone a sea of change in its approach to security over the past seven years, a remarkable transformation overseen by the bank’s CISO.

This bank has migrated from disconnected point solutions to a fully integrated security platform based on McAfee solutions, and the result is nothing short of amazing. Their security team is better and more efficient at detecting malware of all kinds, equipping the bank to deal with advanced, targeted cyber threats and ward off costly data breaches.

The open, interconnected McAfee infrastructure is driven by an adaptive feedback loop in which security evolves and learns in an iterative cycle that improves over time. This not only delivers a much more sustainable advantage against complex threats, but it’s also much more efficient than the bank’s previous traditional, unintegrated security architecture. The strategy paid off recently when the bank was targeted by a zero-day phishing attack. In the end, McAfee Advanced Threat Defense and McAfee Threat Intelligence Exchange did exactly what was expected—kept the bank safe.

“With the McAfee interconnected security approach, communication between solutions becomes a non-issue,” says the CISO. “Planning, technical design process, deployment, implementation, and maintenance have all become so much easier.”

He adds, “McAfee has treated us as an important customer from the very beginning, when all we had was antivirus software. Our security transformation is still under way, but we are so much more secure now than we were before. I expect McAfee to be partnering with us for the long haul, helping us tackle our strategic priorities, from better controlling employee behavior to securely leveraging the cloud.”

After the zero-day phishing attack, two subsequent attacks were also easily thwarted. Thanks to a truly integrated security approach, this bank’s security environment looks extremely different today than it did just a few years ago, and its security posture is stronger and more sustainable.

Want more? Read the full case study here. Questions? We have answers on Twitter at @McAfee_Business.

]]>https://securingtomorrow.mcafee.com/business/dynamic-endpoint/banking-advanced-protection-comprehensive-integrated-security-regional-commercial-bank/feed/15 Things You Need to Know About Integrated Security in the Cloudhttps://securingtomorrow.mcafee.com/business/cloud-security/5-things-need-know-integrated-security-cloud/
https://securingtomorrow.mcafee.com/business/cloud-security/5-things-need-know-integrated-security-cloud/#respondTue, 03 May 2016 14:00:33 +0000https://blogs.mcafee.com/?p=49398

Whatever the specific configuration of your cloud, be it public, private, or a mix of both, there are security risks that aren’t immediately apparent, ranging from the technical to organizational to issues of governance. Here are five things you need to know about integrating security across your multiple cloud deployments for optimal security. 1) Know …

Whatever the specific configuration of your cloud, be it public, private, or a mix of both, there are security risks that aren’t immediately apparent, ranging from the technical to organizational to issues of governance. Here are five things you need to know about integrating security across your multiple cloud deployments for optimal security.

1) Know where your data is

Keeping your eye on where your data is located can be more difficult than you think, especially because of shadow IT. The cloud makes it easy for individual departments to have their own cloud-based applications and data storage. But you can’t protect what you don’t know exists—and even if you do know it exists, there are still unique issues to solve for. If you think there is no shadow IT in your organization, think again: In a Frost and Sullivan study, more than 80% of respondents admit to using non-approved SaaS applications in their enterprises.

Here’s the issue: shadow IT makes it possible for data to be stored and processed in the cloud without proper security controls. And when users and departments store and share sensitive data in the cloud or run applications in the cloud without IT’s knowledge, the enterprise can be exposed in many ways.

The answer: make sure you have a single system to track and secure your data. Consider requiring that IT perform security and compliance reviews for any SaaS contracts and services. IT may also want to launch a campaign to educate department managers about the governance and security issues that go along with SaaS applications and the cloud.

2) Secure your east-west traffic

Enterprises are moving to virtualized data centers, including private and public clouds, and beyond that to software-defined data centers. This has created a new pattern of east-west traffic from server to server or workload to workload. North-south traffic (between client and server) has also changed, because servers no longer sit on a dedicated appliance in a data center but are virtualized, generally in some kind of cloud configuration. In addition, the number and variety of clients has grown to encompass tablets, mobile devices, wearables, and IoT sensors.

This creates a new set of security challenges, particularly for east-west traffic. Firewalls placed at the edge of a data center or its virtual clone can compromise the security of east-west traffic, because east-west traffic depends on static routes and known entities—or else requires that IT manually configure and direct the east-west traffic to the security appliance.

One way to solve this is with software-defined security, which virtualizes an enterprise’s security infrastructure. In this approach, a controller automatically provisions security wherever and whenever it’s needed. The system can connect to multiple data centers of different types, and works with many security solutions—meaning it works with multiple types of cloud configurations. Intrusion protection systems for virtual environments are key tools as well, and work in concert with software-defined security.

3) Protection from malware

Many enterprises move to the cloud after having virtualized servers and applications in their data center, and may not be used to the unique security issues posed by a cloud configuration. Here’s an example. As some enterprises move to a private cloud, they run traditional anti-virus products in virtualized machines to fight malware. But in doing so they bring those virtualized machines to their knees, dramatically slowing performance. (For more details, see this interview about hybrid cloud security with McAfee’s Loretta Nierat.)

To avoid those kinds of problems, look for security and data solutions specifically designed for the hybrid cloud. For anti-malware protection, that means special techniques such as avoiding scanning in virtual machines, and instead using a scan appliance. Or using scan-avoidance, which tracks which files have already been scanned, and prevents re-scanning if they haven’t changed.

4) The difficulties with compliance

Compliance in the hybrid cloud is particularly thorny: in a word, your compliance policies for your private cloud and public cloud provider have to match. Even the way they communicate must be compliant. The issue is significant enough that 38% of companies in a survey by the Cloud Security Alliance said that a major barrier to cloud adoption is their concern about regulatory compliance.

As a starting point, centralize all governance related to cloud deployments in IT where they can ensure consistent compliance policies across both public and private clouds. Individual departments and shadow IT simply can’t handle it.

Raise any industry-specific compliance issues such as HIPAA with public cloud providers before any contracts are signed. Any prospective cloud providers should detail exactly how they handle those and other compliance issues—and that they match an enterprise’s rules and approach.

Finally, delve into the ways your public and private clouds communicate, and ensure they meet privacy, security, and other governance regulations.

5) Take care with your SLA

Crafting SLAs for the hybrid cloud can be extremely complex. You’ll need to make sure that your public-cloud SLAs spells out specific data protection and security features and guarantees. But that’s just a first step. You’ll also need to ensure that your private-cloud SLA matches the public one, and that both are in line with your business needs.

Start by tracking your private cloud’s availability and performance, and then evaluate what kind of security issues might arise when integrating with the public cloud. If you are required to keep confidential data on-premises in your private cloud, for example, make sure your SLA details that you won’t be using that data in the public cloud.

Closely review all the terms and conditions—don’t breeze by the legalese and fine print. This is particularly important because there are few standards and benchmarks for SLAs in the cloud, according to a study from Nova Southeastern University.

Pay attention to security clauses, such as who has access to your data, whether the provider outsources data storage, how data is deleted, and whether certifications and third-party audits will be performed. Also important: how is privacy handled, such as what data will be collected about your organization, and what steps will be taken to keep it private. Find out how the data will be used, and how long it will be retained. And look for operational details such as backup frequency, recovery time from failure, and the provider’s database and storage architecture redundancy model.

If you follow all these five steps, you’ll be well on your way to making sure that your hybrid cloud is secure as possible.

In a number of recently publicized breaches, and probably many other attacks, information that could have enabled the security team to catch and contain the attack were lost in the sheer volume of alerts. Your security team is getting alerts from internal sensors, threat intelligence from multiple sources, and potential indicators of attack or compromise …

In a number of recently publicized breaches, and probably many other attacks, information that could have enabled the security team to catch and contain the attack were lost in the sheer volume of alerts. Your security team is getting alerts from internal sensors, threat intelligence from multiple sources, and potential indicators of attack or compromise from your security countermeasures. Relying on these human filters to decode, deduce, and decide what is relevant takes valuable time and can result in long delays between attack, detection, and containment.

I believe that the solution to this volume of data is to build into the SIEMs automation and active awareness of their environment. Security analysts need timely and relevant information to be most effective. Wading through wave after wave of data from a variety of sources, looking for highly credible threat artifacts and correlating with the organization’s inventory of digital assets, is not the best use of these skilled resources. Taking appropriate action may require their knowledge and judgment, but filtering and correlating the flow of data is a rules-based task that can be delegated to adaptive machine algorithms.

Threat intelligence comes from a wide range of sources, of varying credibility. I am not proposing that we automate and delegate all of the threat remediation actions. Nor do we do not want a system that can be gamed by someone with malicious intent, for example by injecting false positives into the intelligence stream to prevent communication between legitimate partners. Incoming threat data includes information on the source and how the data was gathered, whether it is from a public report, sandbox isolation and execution of the code, or activity captured on an infected endpoint. The headers of the threat notices also contain details to verify that the contents of the message have not been tampered with and to enable you to calculate the trust level of the source.

The trust level of the source and the method of data collection provide the foundation for a threat credibility score. As additional notices come in, they are evaluated to substantiate the initial threat, increasing or decreasing the credibility score appropriately. As vendors, government organizations, or other companies identify suspicious or confirmed threats in their environment, that info can be quickly shared via community-based information sharing and analysis centers. If you receive multiple indicators of a similar threat, you can compound the credibility score. Then, depending on the nature of the threat and the credibility score, you can decide if this an issue that can be remediated automatically or whether it requires further investigation and the judgment of a security analyst.

Another advantage of automating the collection and parsing of this info is the ability to look back in time. Once you have identified the key characteristics of a particular threat, whether it is code samples, hash values, registry changes, or other effects, the system can automatically scan your network looking for previous occurrences of the threat over previous weeks or months, and isolate or eradicate them.

Every security team I have spoken with is trying to do more with less, and the increasing volume of alerts and attack surface is certainly contributing to the more part. As we are inundated with security event info, we need to quickly filter that flood to focus on what is most credible and most important. Reducing time to detection and time to containment or remediation are the goals, and SIEM automation is at least part of the answer.

Security experts have long debated the merits of whitelisting versus blacklisting. While the first intuitively seems more secure, the reality is that whitelisting is also more difficult to implement and manage. Strategic decisions are driven by organizational needs, which seems to recast the question: do businesses prioritize security over efficiency with whitelisting, or vice versa? …

Security experts have long debated the merits of whitelisting versus blacklisting. While the first intuitively seems more secure, the reality is that whitelisting is also more difficult to implement and manage. Strategic decisions are driven by organizational needs, which seems to recast the question: do businesses prioritize security over efficiency with whitelisting, or vice versa?

In fact, this type of thinking extends beyond the choice between whitelisting or blacklisting. While trade-offs are an unavoidable aspect of decision-making, shouldn’t we be finding solutions that can maximize the yield of both factors?

We need adaptive solutions, ones that can accommodate today’s IT environment. With the proliferation of applications in the cloud and the data center, users want flexible access which simultaneously increases risk. We can’t live with solutions trading off between efficiency and security to meet increasing demand anymore, we need security solutions that are efficient and secure.

Several factors demonstrate this need.

There aremore unknown and unwanted applications than ever before.

Global intelligence alone is becoming insufficient due to the large number of unique malware samples.

We need quicker response speeds to contain malware.

When new challenges like these arise, it’s not IT’s job to simply identify the easiest method with the least trade-off, but to find a solution to accomplish the necessary tasks with the smartest method. What if there was an intelligent and efficient method of whitelisting, suited to today’s environment?

The beauty is that more data leads to better decision making. What if observations from multiple sources could inform each other in real time? We designed McAfee Application Control 7.0 with this in mind.

Historically, McAfee Application Control has taken advantage of global data to benefit organizations. McAfee Global Threat Intelligence (GTI), an exclusive technology based on real-time information from millions of sensors worldwide, provides threat intelligence. Data from our large network allows the reputation of files, messages, and senders to be classified for monitoring purposes.

While that is certainly useful, we’ve realized that global information is even more valuable when complemented with local data. We’ve extended the use of local knowledge to threat containment in McAfee Application Control 7.0. With our latest release, users can leverage McAfee Threat Intelligence Exchange (TIE) for local intelligence. And, they can use McAfee Advanced Threat Defense (ATD) to analyze the behavior of unknown applications in a sandbox. All endpoints are automatically immunized from newly detected malware, shortening the response time from days or weeks to milliseconds. Users get complete and fast protection detailed in the image below.

In addition to allowing software execution based on an approved whitelist, local and global reputation and sandbox test verification, McAfee Application Control can also use a Dynamic Trust Model. In this model, some programs are identified as trusted, which allows them to create or modify applications. For example, provisioning and patching tools are obvious choices, but an observation mode feature automatically suggests new programs to be included as well. In addition, by also including trusted certificates, directories, and users, you have a lot of flexibility.

The essential emphasis is on adaptive intelligence, or getting the most useful insights from the most relevant information and implementing the security posture that is right for you. These are what make McAfee Application Control 7.0 unique.

It’s clear that today’s environment is rendering forced trade-offs between security, business efficiency, and adaptability quite undesirable. Instead, the task should be to find IT solutions that remove these limitations in the first place. Using McAfee Application Control 7.0 is a jump towards this direction.

Click here to learn more about McAfee Application Control 7.0 and for all the latest industry updates, follow us on Twitter at @IntelSecurity.

In their recent 2015 Global Business Technographics® Security Survey, Forrester reports that improving threat intelligence capabilities is a top priority for 71% of enterprises. But enterprises don’t need to improve their ability to gather threat intelligence—the abundance of shared intelligence and threat inputs is already overwhelming for security teams. Operationalizing the intelligence once you have …

In their recent 2015 Global Business Technographics® Security Survey, Forrester reports that improving threat intelligence capabilities is a top priority for 71% of enterprises. But enterprises don’t need to improve their ability to gather threat intelligence—the abundance of shared intelligence and threat inputs is already overwhelming for security teams. Operationalizing the intelligence once you have collected it is the big challenge. It’s crucial to have a system that not only collects threat information, but also prioritizes and disseminates it to all your security control points in a timely and efficient manner. McAfee Threat Intelligence Exchange can operationalize threat intelligence in real time. It now allows inputs from more sources and is expanding its connection to more security solutions—from McAfee and other security vendors.

This global and local threat information is then shared throughout your entire Security Connected ecosystem in milliseconds, so that all your security control points can receive this data and can act on it, applying appropriate remediations when and where they’re needed. Collaborating with McAfee Data Exchange Layer, the McAfee ecosystem acts as one—with seamless, real-time communication among all your solutions via the McAfee Data Exchange Layer. That includes McAfee products and solutions from other vendors, including ForesScout, TITUS, InfoReliance, CyberArk, TrapX and Avecto.

More details on McAfee Threat Intelligence Exchange 1.2, including partner and customer case studies and a live demo, will be shared at McAfee Mpower , October 26 to October 28.

In our previous Blog, we covered how customizing SIEM for threat management requires both resources and expertise. As a result, McAfee created “ready to go” content packs based on Gartner’s Top Use cases. targeting aspiring users to expand their SIEM detection and response use cases without spending countless hours and resources on tuning. Over the …

In our previous Blog, we covered how customizing SIEM for threat management requires both resources and expertise. As a result, McAfee created “ready to go” content packs based on Gartner’s Top Use cases. targeting aspiring users to expand their SIEM detection and response use cases without spending countless hours and resources on tuning.

Over the past 6 months multiple content packs have been delivered to all licensed ESM customers and are intended to assist members of Security Operations teams.

For instance, the threat analyst will get new Threat Detection capabilities via 100’s of correlation rules and views enabling visibility into cyber attack chain steps such as Reconnaissance, Exploit or Command & Control

Incident response and security operations users can improve their visibility and understanding of the security infrastructure by reviewing Firewall traffic, authentications or top blocked web domains trends.

Senior Security Management staff can assess their team productivity by getting more insights into escalated cases, progress of investigations and summary of all detected malware and correlations activity.

And finally the SIEM Administrator who will be able implement these new use cases faster with detailed instructions and related McAfee ESM system setting accompanied in the content pack.

Outcomes for the organizations are of course around maturing security analytics and investigations and move more towards a proactive, streamlined threat management model. Use cases and elements to enable these analytics are multifold.

Use Case 1 : Expand detection across the cyber-attach chain : More than just throwing 100’s or thousands of rules or alarms at users, correlation rules have been grouped inside the Content packs to helps security organizations detect, prioritize and take corrective actions across the cyber-attack chain spectrum. For instance, reconnaissance activity can be detected via 58 new correlation rules grouped under the “Recon” Content Pack, weapon-ization steps can be revealed via abnormal traffic pattern discovery rules provided in the Web Filtering Content Pack and control activity can be is analyzed via alarms and views in Authentication Content Packs.

Use Case 2 : Same is true for provided Views and reports, which have especially been designed to help the user accelerate investigations. For instance by opening “web filtering view” the analyst can review all external web connections, dive down into denied connections and prioritize via single click only those end points with potential unwanted applications and redirections.

Use Case 3: Peer analysis : Another popular security analytics use case is based on peer analysis; comparing – on a user-by-user or host-by-host basis – geolocations or zones inside the organization and allowing the analyst to filter high risk users or hosts based on all evidence stored in ESM. This analysis is less dependent on predefined correlation rules and leverages contextual elements to detect adversarial activity as well as potential weaknesses in the existing security infrastructure.

In brief, content packs are great enabler for organizations to expand the breadth and depth of the detection against the cyber-attack chain as well as reducing response efforts via their SIEM. Insights, implementation guidelines and examples are described for each content pack on the expert center and KB articles.

The massive amount of log, event and flow data within the SIEM offers security analysts answers to essential security questions such as “who is accessing critical business systems,” or, more importantly, “was there any anomalous activity before, during or after the connection?” To get all these answers, though, users need to filter, correlate, and view …

The massive amount of log, event and flow data within the SIEM offers security analysts answers to essential security questions such as “who is accessing critical business systems,” or, more importantly, “was there any anomalous activity before, during or after the connection?”

To get all these answers, though, users need to filter, correlate, and view relevant events by adding knowledge or “Content” to the SIEM system. Typically, the SIEM expert creates and maintains the arsenal of dashboard views, correlation rules, watchlists, alarms, and reports related to this data processing. They draw on knowledge of event sources, related semantics and of course the targeted use cases. For example, creating correlation rules not only requires deep insights into the adversary activity, it also requires knowledge of the SIEM data system to create the right content without affecting system performance. The combination of the threat knowledge and required system configuration can be time consuming and challenging before the SIEM delivers on all of its value.

There’s new help for this operational burden and training hurdle. Starting in version 9.5, McAfee Enterprise Security Manager (ESM) customers can simplify operations with “ready to go” content packs for top security use cases such as those described by Gartner Analyst Anton Chuvakin in one of his blogs. Now SIEM users can respond to threats or compliance needs without wasting time understanding the event source output or creating the content from scratch. Additionally, SIEM administrators are unencumbered from the task of creating, tuning and maintaining use case-specific content.

Free, and easy to use

The frequently updated content packs include not only ‘best practices’ on how to setup McAfee ESM for a specific threat monitoring use case, they also hold all the ingredients (rules, dashboards, and reports) to get the desired outcome. Systems administrators save time and avoid trial and error as they employ vendor-supplied content as they mature their related policies and procedures.

Built by McAfee SIEM experts, these content packs are distributed free of charge. Users can review, select, download and deploy the SIEM content configurations directly from within the McAfee SIEM User Interface. Guidelines on intended usage, related device types, pre and post installation steps are explained to the system administrator for better insights and expected outcomes of the targeted use case. After installation, most of the content, including reports and correlation rules, can be tailored to user-specific enterprise environments. Distribution of the content packs is provided via the existing McAfee ESM Rules Server so no additional network or firewall changes are required to get access to the updates. This also allows for new content to be published and deployed between software release cycles and for updates to be applied without requiring any operational downtime for the SIEM platform.

For more information on the content packs, please visit the expert center, here.

The kb articles are available by logging onto kb.mcafee.com and then typing in “siem content pack”:*/title” in the search term bar

For the fourth year in a row, McAfee landed in the leader’s quadrant of the Magic Quadrant for Security Information and Event Management (SIEM) report, published by Gartner, Inc. The annual report, which came out in late July, evaluates vendors who offer SIEM products on both the ability to execute and completeness of vision. The …

For the fourth year in a row, McAfee landed in the leader’s quadrant of the Magic Quadrant for Security Information and Event Management (SIEM) report, published by Gartner, Inc. The annual report, which came out in late July, evaluates vendors who offer SIEM products on both the ability to execute and completeness of vision.

The report serves as a survey of the enterprise security landscape with Gartner highlighting early detection of targeted attacks and breach occurrences as the greatest area of unmet need. “Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization. The situation can be improved with stronger threat intelligence, the addition of behavior profiling and better analytics.”

Intel Security’s Security Connected integrations, breadth of device support, ease of data consumption, querying capabilities and enterprise scalability of McAfee Enterprise Security Manager (ESM) comprised a “completeness of vision” that helped it retain its placement in the top three vendors.

McAfee provides the threat intelligence needed for combating today’s advanced threats. In order to detect threats, McAfee Enterprise Security Manager prioritizes potential threat alerts before they occur and analyzes data for patterns indicating larger threats. McAfee ESM also leverages contextual information (such as threat feeds, IOCs, vulnerability scans, asset and identity management systems) for a better understanding of the impact security events can can have on business processes—all of which is available in dedicated dashboards for cyber threat management and risk analytics .

Gartner, Inc., “Magic Quadrant for Security Information and Event Management,” by Kelly M. Kavanagh, Mark Nicolett, Oliver Rochford July 20, 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About the Magic Quadrant

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Nineteen percent of advanced targeted attacks take weeks to discover. Fourteen percent take months to find. And, unfortunately two percent take several years to surface. With undetected attacks lurking around every corner, you need tools that can identify and eradicate threats fast. The State of Detection and Correction Unfortunately, even after an initial abnormality or …

Nineteen percent of advanced targeted attacks take weeks to discover. Fourteen percent take months to find. And, unfortunately two percent take several years to surface.

With undetected attacks lurking around every corner, you need tools that can identify and eradicate threats fast.

The State of Detection and Correction

Unfortunately, even after an initial abnormality or threat is discovered, it can still take days or months to reach full discovery and containment. Well-funded hackers are continuing to hone their skills and create more sophisticated attacks that are even more complex in their tactics. Additionally, the most destructive malware is designed to evolve over time, making it increasingly difficult to detect.

When targeted attacks are launched against your organization, you face the risk of stolen data and compromised devices, which not only means a possible data breach disclosure, but also leaked information reaching your competitors, extensive threat containment costs, and spoiled brand reputation.

Here are four simple steps to help you protect, detect and correct targeted attacks.

Know Your Cyberattack Chain

While every cyberattack is unique in destruction capability, most still unfold and progress through a number of predictable stages, known as the cyberattack chain. When you understand the typical strategies intruders use to get into your network, you are better armed to defend your systems. Once you have identified the attack chain that cyberthreats could follow within your network, you can apply protection and mitigation strategies. In addition, it is essential to create a baseline of normal data flows to be use as a benchmark for detecting anomalies in your network.

Adapt Your Security Solutions

In 2015, it is predicted that global IT security spending will hit over $76 billion. In a world where 362 new threats are occurring every minute, threat protection is more vital than ever. Isolated point products, no matter how great they are, will not stand up to the complexity of today’s attacks. It’s time for security to be as sophisticated as the attack—with integrated solutions that share threat intelligence and move from a reactive to proactive security posture, adapting with changes in the threat landscape.

Use External Data

As a business, you have a vast amount of data at your disposal, which can be helpful in detecting and preventing cyberattacks. By collecting data on file reputation, for example, you can block known malicious files that could threaten your network. You can also analyze data from phishing emails to collect URL and domain data, use malware indicators to comprehend how malicious code affects various devices, or even leverage information about adversary networks so you know what web addresses to block.

TIE It Up

When it comes to threats to your data, one of the biggest issues for enterprises is identifying how many systems have been infected. By using tools like McAfee Threat Intelligence Exchange (TIE), you can hone in on where a malicious file was introduced. This feature also extends to how it spreads; such as if the file comes up in ad-remove programs, drops items in the C-temp folder, or hook registry keys. TIE features the ability to integrate external threat feeds with local intelligence, enabling you to evaluate threats with third-party data.

That is just a taste of what McAfee Threat Intelligence Exchange can do to help you detect and eradicate malware in your organization. Want to learn more? Check out our Senior Director of Sales Engineering, Chris Cole’s, FOCUS 14 presentation or our Tech Talk Event, and follow @McAfee for new product updates.

Organizations and enterprises today are more aware than ever of the dangers posed by cybercriminals and advanced persistent threats (APTs). So, how can they fight back against these online threats in a situation where one size never fits all? One solution that we tout in our ‘When Minutes Count’ report: stretch your Security Information and …

Organizations and enterprises today are more aware than ever of the dangers posed by cybercriminals and advanced persistent threats (APTs). So, how can they fight back against these online threats in a situation where one size never fits all?

One solution that we tout in our ‘When Minutes Count’ report: stretch your Security Information and Event Management (SIEM) solution! Getting the best protection out of your SIEM solution hinges on you taking the time to learn how to leverage your tools to their fullest extent. That is something we can provide right here, in this blog.

We’ve discussed how you can take into account the eight most common Indicators of Attack (IoAs) and the importance of going on the offensive with your SIEM solution to detect and disrupt threats in real-time. But there’s one last thing we need to cover: automating your SIEM solution for quicker detection and optimized threat prioritization.

To do this, CISOs and security admins must take advantage of all that a SIEM has to offer through its automation capabilities. Here’s how:

Use Threat Intelligence

Threat intelligence is a simple concept: protect your business with the shared security experiences from thousands of organizations and security vendors from around the globe. With access to up-to-date reputations for bad destinations and other dynamic attributes, using threat intelligence is critical for the success of your team. According to a customer base survey, McAfee Global Threat Intelligence users saw at least a 20 percent bump in prevention and a 29 percent reduced time to detection. Every percentage point counts when talking about protecting corporate information!

Data Collection and Aggregation.

Knowing what your attackers are looking for is key to securing your organization, and that means identifying and hardening your organization’s valuable data. Documenting and baselining the characteristics of an asset — how it’s used, who is using it and how it could be attacked — can help to alert IT teams to unusual behavior, allowing them to act quickly. By getting IT and security teams to work together with business partners, you can better secure your organization.

Correlation and Rich Rules

With a proactive approach to security, organizations can significantly raise the barrier to entry for many cybercriminals. Correlation by a real-time SIEM solution can help IT teams achieve this goal by detecting suspicious activity automatically, immediately bringing a potential threat to their attention. But, barring the limitations of legacy tools, this can only be done when IT teams take the time to establish multiple-step rules and multiple-attribute logic with their SIEM solution.

Appropriate Automation

All of these efforts help to build an automated SIEM solution that helps security teams to receive and react to event and threat data faster than before. And, with both manual and automated approval steps for workflows, companies can achieve a consistent and more effective response to threats while still keeping critical decision makers in the loop.

When minutes count, you have to shave off every second between an IoA and appropriate action. Otherwise, you risk compromise.

To learn more about what steps your organization can take to protect and detect in real-time, download our report, “When Minutes Count,” here and check out its accompanying infographic here.

As cyber criminals move faster and stealthier, taking advantage of new tools provided through an adversarial community, security teams need to be able to respond with equal or greater speed. Every second counts after a cyber attack. Therefore, it is imperative to have a solid plan in place for actions that take place during the …

As cyber criminals move faster and stealthier, taking advantage of new tools provided through an adversarial community, security teams need to be able to respond with equal or greater speed. Every second counts after a cyber attack. Therefore, it is imperative to have a solid plan in place for actions that take place during the moments immediately following an incident or what we call the “Security Golden Hour.”

In a recent ESG survey “Tackling Attack Detection and Incident Response” commissioned by McAfee, responders indicated they spend their time on five key tasks. Top of the list included:
1. Determining the impact of the incident
2. Tacking action to minimize the attack
3. Analyzing security intelligence
4. Determining which assets remain vulnerable
5. Performing forensic analysis

When asked which initiatives would help boost staff efficiency, three SIEM key capabilities came to surface: first of all “better detection tools” to find potential malware accurately, followed by “better analysis tools” and “process automation to free up staff”. These last findings also form the foundation of the seven key actions McAfee’s Enterprise Security Manager (ESM) provides during the golden hour.

The first group of SIEM actions is related to the identification of the threat. Importance here is to reduce false positives and bring quickly and accurately potential adversarial activity in front of the security analyst. McAfee ESM advanced analytics (action #1) provides an overview who, when and where valuable infrastructure is used. During this analysis, ESM will calculate baselines, bring known and unknown threats to surface via rule and risk-based correlation, and leverage enterprise contextual information for better insights. A second action (#2) that ESM supports includes the collection and harvesting of threat intelligence. This step helps users to identify threats based on the misfortune of others and confirms the security analyst if the threat has already been seen somewhere else. A unique third action (#3) from McAfee ESM is both real time and historical correlation. Where most SIEM’s will only leverage threat intelligence going forward, McAfee ESM verifies if the organization has already been impacted by a known IOC (Indication of Compromise) via the BackTrace feature.

After the identification, users need to review, prioritize and decide on what to do next. During this second phase, visualization (#4) and isolation (#5) of threat activities are the next key actions SIEM should provide. Pre-built or custom dashboards, with fast and easy access to data, allow the user to run investigations quickly and reduce the time to prioritize the threat. Additionally, Asset Threat Risk dashboards aggregate known external threats, assets vulnerabilities and available countermeasures to help the security analyst pinpoint which enterprise assets are truly at risk.

In the last step, the incident responder acts by eradicating (#6) the adversary and communicating (#7) the required actions within the IT operations teams. These 2 actions can be taken directly from the console or can be fully automated to optimize security resources. Via built-in case management tool, the security operations manager can review open and closed Incident response tasks as well as spot recurring incident types for improved automation.

Review examples of known threats, SIEM best practices and the 7 key SIEM actions in a recent Secure World Webinar: https://goto.webcasts.com/starthere.jsp?ei=1056214

In a blog last week, I discussed CryptoLocker, a particularly nefarious family of ransomware, and how to defend against it. I thought it would be worthwhile to demonstrate how McAfee Threat Intelligence Exchange can detect and stop malware like ransomware, even if the suspicious file has not been flagged as malware by antivirus signatures. In …

In a blog last week, I discussed CryptoLocker, a particularly nefarious family of ransomware, and how to defend against it.

I thought it would be worthwhile to demonstrate how McAfee Threat Intelligence Exchange can detect and stop malware like ransomware, even if the suspicious file has not been flagged as malware by antivirus signatures.

In addition to showing McAfee Threat Intelligence Exchange in action, I also show how McAfee Advanced Threat Defense performs deep analysis, including dynamic sandboxing and static code analysis, to confirm that the file flagged is malware and is indeed malevolent.

In the upcoming McAfee Labs Threats Report: May 2015, McAfee Labs will explore ransomware and the huge rise in the volume of attacks in Q1. As CryptoLocker and other forms of ransomware continue to morph and become more aggressive, it is vitally important to understand how ransomware works and what can be done to protect against it.

Reaping the benefits of SIEM For automated tools such as Security Information and Event Management (SIEM) to improve your security posture and reduce your response time, they need to be intelligent, actionable, and integrated. They need to help you find what’s important so your team can spend more time with the most critical issues and …

For automated tools such as Security Information and Event Management (SIEM) to improve your security posture and reduce your response time, they need to be intelligent, actionable, and integrated. They need to help you find what’s important so your team can spend more time with the most critical issues and less time trying to understand what’s important and what’s not. The latest release of McAfee Enterprise Security Manager (ESM), v9.5, augments your team’s abilities with enhanced real-time monitoring, automated historical analysis, simplified operations, and tighter integration with threat intelligence.

Automation that is not intelligent is just an amplifier – it increases both the good and the bad. McAfee ESM 9.5 gets smarter by enhancing its real-time monitoring capabilities with a threat management dashboard that can receive and understand information on emerging suspicious and malicious threats reported via STIX/TAXII, McAfee Advanced Threat Defense, and third-party URLs. Instead of having to collect this information manually, you can now quickly and easily review and manage cyber threat intelligence at a glance from a centralized dashboard. McAfee Advanced Threat Defense (ATD) sandboxing functions investigate potential indicators of attack or compromise. ESM now integrates and automates communications with ATD, receiving notification of convicted files, asking for additional details, and adding the necessary information to watch lists and alerts.

Making decisions on whether a threat is relevant and its risk level is becoming increasingly complicated. McAfee simplifies deployment and ongoing risk monitoring with hundreds of out-of-the-box rules and reports, as well as pre-defined content packs that include views, reports, watch lists, key variable, and alarm rules for specific use cases. The first 12 content packs include monitoring for insider threats, data leakage, email content, suspicious activity, malicious activity, malware, reconnaissance, web filtering, and Microsoft Windows authentication. Using the risk advisor dashboard, you can now get information instantly about a threat, its severity, and the risk it presents through a risk score that unifies vulnerability status, asset criticality, and countermeasure protection available for the threat. This assessment helps prioritize security and patching efforts according to an asset’s value

Perhaps most important is the ability to automatically act on this intelligence, in the future and the past. When a new relevant threat is reported, you add it to your watch list to catch future events or flows with that hash or IP address. But what if your company was attacked before the threat was published? McAfee’s Backtrace feature looks for evidence that your organization has already been attacked, analyzing historical information to see if any machines are already affected. Backtrace will parse the threat notification and look through existing events to see if any elements, such as hash, file name, or IP address, match the event details. If it finds a match, it can generate an alarm, and perform a number of automated events to quickly mitigate and contain the attack.

Like most things in life, successful planning for a secure network takes a pre-baked strategy. And, with that strategy comes the actions and tasks needed to carry it out. It’s much like sports – you want to enable your organization to be the one with the ball, dictating the offense to successfully execute plays that …

Like most things in life, successful planning for a secure network takes a pre-baked strategy. And, with that strategy comes the actions and tasks needed to carry it out. It’s much like sports – you want to enable your organization to be the one with the ball, dictating the offense to successfully execute plays that result in a score. You should control pace of the game. Don’t let the opponent (in this case, the hackers) dictate the pace, or your strategy.

Companies are tasked with protecting their organizations from advanced threats. For many, the most troublesome threats are Advanced Persistent Threats (APTs), those that quietly monitor a network over time to gather and extract sensitive information and intellectual property – and targeted attacks against a single organization. In fact, according to an Evalueserve survey commissioned by McAfee, part of McAfee Security, 74 percent of the 473 surveyed companies said they are highly concerned about these two specific attacks. Hackers, it seems, are setting the pace of the game.

However, an agile offensive strategy can put you in a more proactive position. In the same Evaluserve survey, 53 percent of organizations said they discovered an attack within hours or minutes, allowing them to disrupt the instance. Behind those detections was the presence of technology that integrates threat intelligence, correlation, analytics, active response and adaptive technologies. They employ advanced Security Information and Event Management (SIEM) technology specifically geared to help incident response.

Driven by the misfortune of many, Cyber Threat Intelligence exchange and consumption is becoming more proliferated, accessible and standardized. Together with legacy security technologies like Firewall, IPS and Vulnerability Assessment tools, SIEMs have used threat intelligence initially for the most common use-case of detection and – unique for SIEM – as context during attacks. However, …

Driven by the misfortune of many, Cyber Threat Intelligence exchange and consumption is becoming more proliferated, accessible and standardized. Together with legacy security technologies like Firewall, IPS and Vulnerability Assessment tools, SIEMs have used threat intelligence initially for the most common use-case of detection and – unique for SIEM – as context during attacks. However, threat intelligence can offer more to security teams, for instance, to prioritize or prepare response to recently reported exposures and exploits. SIEM is also one of the few technologies to unlock the full power of threat intelligence via some new use cases.

A new emerging use case for SIEM and threat intelligence is around managing and presenting cyber threat intelligence data itself. Because SIEM has been designed from the ground-up to interpret and manage large sets of data; harvesting, organizing and cycling threat data is a perfect fit for SIEM. The recently released McAfee Enterprise Security Manager (ESM) version 9.5 has taken the cyber threat management to a new level by collecting and translating suspicious or confirmed threat information into actionable intelligence for security operations teams. McAfee ESM 9.5 can import a wealth of security threat data including STIX/TAXII feeds; third party URL’s and Indicators of Compromise (IOC’s) reported via McAfee Advanced Threat Defense providing security operations teams with directly readable and usable intelligence for security analytics.

A second important use case for SIEM and threat intelligence is around historical analysis of recently reported threats. Where many SIEMs correlate threat intelligence only for new event data after the threat has been reported – McAfee ESM 9.5 can automate historical analysis via the new Backtrace feature and discover if an organization has already been impacted by recently reported cyber threats.

Benefits for the above use cases are multi-fold, first of all it will automated digestion of cyber threat intelligence help reduce manual operational efforts. The real advantage for security teams is deeper detection, real-time monitoring and the progress of a new reported threat through the IT environment. McAfee ESM 9.5 will even help security teams vet the accuracy of the configured threat feed by reporting from a single view, the indicator name, date it was received and hit rate. Also, important to highlight is that McAfee ESM also offers drill downs from the cyber threat dashboard into the IOC details, individual source events or flows records.

With these use cases, SIEM remains not only a very popular tool to aggregate, analyze and present threat intelligence, it is also one of the few tools that can be used for detection and response which aligns very well with the initial purpose of integrating threat intelligence: better visibility, rapid detection and responses based on known facts.

The parade of breaches, attacks and various other digital maladies hitting corporations in 2014 made it clear that default, out-of-the-box compliance and security isn’t enough to protect organizations. But the nature of advanced persistent threats (APTs), and other forms of malware, makes it difficult to find an investment that can keep the next threat from …

The parade of breaches, attacks and various other digital maladies hitting corporations in 2014 made it clear that default, out-of-the-box compliance and security isn’t enough to protect organizations. But the nature of advanced persistent threats (APTs), and other forms of malware, makes it difficult to find an investment that can keep the next threat from growing into the next breach.

As with any security situation, shortening the time from detection to protection is key in surviving an attempted attack. By leveraging a Security Information and Event Management (SIEM) solution and looking to common Indicators of Attack (IoAs), organizations can shave minutes off of their detection process and stop threats before they morph into a full-blown breach.

IoAs are exactly as they sound: common behaviors that could indicate the rumblings of an attack. The goal behind properly identifying and addressing an IoA is to prevent it from becoming an Indicator of Compromise – or, an IoC. Once an IoA goes undetected and becomes an IoC, the business in question is faced with the risk of becoming an embarrassing headline.

So, how can businesses know what to look for? McAfee, part of McAfee, has compiled a list of the eight most common IoAs and the warning signs of each to help your organization separate the signal from the noise.

With these IoAs you can figure out the who, the what, the when, the where and the how to shut any threat down before it potentially becomes an IoC and, then inevitably, a breach:

1. Internal hosts communicating with known bad destinations or to a foreign country where you don’t conduct business.

Suspicious communications from internal hosts, where a computer or other device connects to a network, is great indicator of attack. The reason: some malicious programs need to connect to their command and control servers, often located in different countries, in order to relay information and to receive orders.

Events like such as sending command shells (SSH) rather than HTTP traffic over port 80, the default web port, can indicate an infected host trying to communicate with either a command and control server, or an attacker trying to extract data.

Communication coming from external hosts, or from your DMZ hosts, to your internal network could indicate an attack. This action could allow for leapfrogging from outside actors to your inside network and back, allowing for data exfiltration and remote access to your assets.

4. Off-hour malware detection

Network activity during off hours may not always indicate an attack, but communications from specific devices at odd hours can be an indicator. Setting your SIEM to detect these suspicious communications could signal a compromised host.

5. Network scans by internal hosts communicating with multiple hosts in a short time frame.

Rapid-fire communications and network scans from internal hosts to other hosts could indicate an attacker attempting to move laterally within a network.

6. Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over 24-hour period.

Multiple alarm events from a single host, or duplicate alarms from multiple hosts, in a short period of time could indicate an attacker attempting to compromise a network or computer.

7. A system is re-infected with malware within five minutes after being cleaned.

While infection is a clear attack, re-infection within minutes of cleaning the compromised host could indicate the presence of an ATP – a far more serious issue than simple malware.

8. A user account trying to login to multiple resources within a few minutes from or to different regions.

A user rapidly attempting to gain access to multiple resources, either from or to different regions, could indicate an active attacker trying to extract data.

Through such critical analyses, SIEM solutions can help keep the many types of IoAs from becoming IoCs or outright breaches – an evolution that can happen within minutes and quickly turn into a make or break scenario. That’s why having a fast acting security solution is crucial. It’s also why 78 percent of companies capable of detecting attacks in minutes have a real-time, proactive SIEM solution in place. That’s the kind of threat detection that can keep your company out of the paper and in the public’s good will.

To learn more about what steps your organization can take to protect and detect in real-time, download our report, “When Minutes Count,” here and check out its accompanying infographic here.

Today the SANS Institute released its survey on adoption of the Top 20 Critical Security Controls (CSCs) for Effective Cyber Defense. It’s a worthwhile read for CISOs and security analysts charged with overseeing security and risk management. The survey documents adoption highlights and hurdles, primarily experienced by financial services and government organizations. Three sets of findings …

Today the SANS Institute released its survey on adoption of the Top 20 Critical Security Controls (CSCs) for Effective Cyber Defense. It’s a worthwhile read for CISOs and security analysts charged with overseeing security and risk management. The survey documents adoption highlights and hurdles, primarily experienced by financial services and government organizations. Three sets of findings underscore the importance of “horizontal” elements that act across infrastructure and organizational silos. First, the top measured benefits all pay off the most when systems and data are unified:

Secondly, the issues that are holding people back the most are often best addressed by integration and automation across controls: Finally, the survey also examined the steps organizations had taken to adopt the controls, and I was struck in particular by the top technologies that were added. SIEM, vulnerability management, and threat intelligence are all capabilities that concentrate insights to make decision-making easier. The latest incarnations of these capabilities substantially advance an organization’s ability to automate decisions with confidence. [Read my Black Hat blog for more on this topic.] This emphasis on horizontal integration across point defenses is a great sign of the maturation of risk management. It matches our discussions with customers who have indicated that the more optimized and integrated a security architecture is – an approach we call Security Connected – the less organizations spend on security operations while still achieving a better risk posture. A final comment: I’m pleased to point out that McAfee, now part of McAfee, contributes its expertise to support development and maintenance of the CSCs as an industry framework. As the 2014 SANS Critical Security Controls poster shows, we also offer the broadest available product support for the controls directly, and we team with partners to provide complete coverage. Download your copy of the survey, our CSC white paper, and more at mcafee.com/securityconnected.

They say you can’t teach an old dog, new tricks—or can you? The technology landscape has changed dramatically over the last 10 years, and many security approaches organizations previously relied on are no match for today’s advanced threats. Tools like Security Information and Event Management (SIEM) have become critical to securing an increasingly complex network …

They say you can’t teach an old dog, new tricks—or can you? The technology landscape has changed dramatically over the last 10 years, and many security approaches organizations previously relied on are no match for today’s advanced threats. Tools like Security Information and Event Management (SIEM) have become critical to securing an increasingly complex network infrastructure.

Understanding how SIEM has evolved over time is crucial to developing effective security and risk management strategies that align with business priorities and can better accommodate distributed IT, cloud, and virtual environments.

Previously, SIEM was a two-blade solution that consisted mainly of log collection and compliance reporting. Today, SIEM solutions act as a Swiss Army knife collecting, storing, normalizing, correlating, and analyzing data from dozens of security and network devices, and providing security intelligence as well as a baseline of typical network behavior.

The basics are no longer enough, however, and next-generation SIEM solutions must have expanded feature sets to provide greater business value.

With this in mind, I’m excited to kick off the Evolution of SIEM Series to share how SIEM can become an integral part of a larger security program. Over the following weeks, I will highlight how the latest McAfee SIEM solution, Enterprise Security Manager (ESM), can improve Big Data Security, situational awareness, advanced evasion, and incident response times.

As businesses face more targeted and persistent threats, a trusted SIEM solution can be an essential security component, critical to detecting and mitigating those risks.

Stay tuned for the next installment, where we will discuss the capabilities that make the McAfee SIEM solution stand out.

In the meantime, be sure to check out the McAfee SNS Journal for technical briefs, news, and product spotlights. Subscribe for monthly updates here.

See what McAfee has to offer by following @McAfeeSIEM on Twitter, and explore our SIEM community to get the latest techniques to protect your organization.

In June, Gartner, Inc. published its annual Magic Quadrant for Security Information and Event Management (SIEM), which evaluates vendors who offer SIEM products on both the ability to execute and completeness of vision. And this year, McAfee holds a spot in the leader’s quadrant. As the threat landscape continues to expand at an astounding rate, organizations …

In June, Gartner, Inc. published its annual Magic Quadrant for Security Information and Event Management (SIEM), which evaluates vendors who offer SIEM products on both the ability to execute and completeness of vision. And this year, McAfee holds a spot in the leader’s quadrant.

As the threat landscape continues to expand at an astounding rate, organizations need to be even more nimble when it comes to early detection. It’s no longer a question of if, but when in terms of a security breach—meaning IT security teams must be able to analyze security event data in real time in addition to collecting, storing, analyzing and reporting on log data after an incident has occurred. The increased adoption of SIEM technology is being driven by these new challenges and compliance requirements.

Early breach discovery is one of the most important features SIEM vendors need to offer businesses, and at McAfee we understand that achieving this requires effective user activity, data access and application activity monitoring. To combat the looming specters of advanced evasion techniques (AET) and advanced persistent threats (APT), SIEM solutions must include a combination of real-time security monitoring, historical analysis, and support for incident investigation and compliance reporting tools.

With these next-generation cyber threats in mind, we took a different approach to SIEM with the McAfee Enterprise Security Manager (ESM) solution. In addition to the security information management (SIM) and SEM functions, we also offer a range of specialized add-on products and an extensive security portfolio to give customers better context around vulnerabilities, endpoints, and automated response and blocking.

Monitor database and application activity at the packet level by using the Database Event Monitor (DEM) and Application Data Monitor (ADM) add-ons.

Stay in line with requirements for database application monitoring and industrial control systems with the new suite of regulatory compliance reports for McAfee ESM.

To learn more about how McAfee® ESM can benefit your organization, visit our website and read the full Gartner report here.

Gartner, Inc., “Magic Quadrant for Security Information and Event Management,” by Kelly M. Kavanagh, Mark Nicolett, Oliver Rochford June 25, 2014. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About the Magic Quadrant

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose

Since starting my career at McAfee in 2002, I have seen so many changes within the company and the security industry at large. New technologies have transformed the relationship between enterprises, their employees, and their critical systems—for better or for worse. And in my role overseeing McAfee’s Security Management business, I have had the opportunity …

Since starting my career at McAfee in 2002, I have seen so many changes within the company and the security industry at large. New technologies have transformed the relationship between enterprises, their employees, and their critical systems—for better or for worse. And in my role overseeing McAfee’s Security Management business, I have had the opportunity to be at the ground floor with each new milestone. Working with my team and partners to drive innovation and worldwide growth for this area of the business, I have had a front seat to these changes and how they have impacted our customers and partners. Some of the most notable changes have been around the Mobile and Security Information and Event Management (SIEM) industries, with McAfee spearheading the services built to address each new threat.

When I began working with McAfee customers to develop their SIEM solutions 12 years ago, it served as more of a box to check rather than an essential tool for fighting cybercrime. SIEM used to be synonymous with log management and was only really implemented for security audit purposes. That isn’t the case anymore and many organizations are using SIEM solutions to better secure their networks and meet compliance mandates within the confines of tight security budgets and limited resources.

Today, Advanced Persistent Threats (APT) and zero-day exploits alone have made the monitoring and management capabilities that SIEM provides a necessity. Companies can use the valuable information provided to take action on anomalies and prepare against new attacks. As SIEM adoption becomes more widespread, from enterprises down to small and medium-sized businesses, having that information work in tandem with other security systems will be crucial to managing risk.

Much like SIEM, the Mobile space has also changed drastically—going from disparate devices and management to an interconnected system with the rapid adoption of smartphones, tablets, wearables, smart sensors, etc. Previously, PDA protection was the only mobile security needed, but now that devices of all forms and operating systems can connect to enterprise applications and data, increased visibility is crucial. IT teams must be able to see what devices are accessing the enterprise and what they are doing with corporate data on and off the network in order to prevent mission critical information from being compromised.

McAfee has been there since the beginning of these paradigm shifts, providing advanced security platforms that extend to every endpoint available today. Previously, SIEM and Mobile did not have much in common, but the information that each provides linked together through the McAfee Security Connected framework can have a huge impact on our customers’ security today and into the future.

I am excited to take on this new task, in upcoming blogs, to explore how unified solutions can help businesses defend against ever-changing cyber threats, as well as key trends related to SIEM, Risk Management, Vulnerability Management, Policy Compliance, Mobility with Internet of Things (IoT), and Security-as-a-Service.

Tune in for my next post and stay on top of the latest enterprise security threats by following @McAfeeBusiness on Twitter.

DTS is one of the larger systems companies in Germany, with around 140 team members in six locations. Mid-sized and enterprise companies, as well as public institutions, rely on DTS to meet high data security demands and remain compliant with domestic and international regulations. The challenge for the security professionals at DTS was one of …

DTS is one of the larger systems companies in Germany, with around 140 team members in six locations. Mid-sized and enterprise companies, as well as public institutions, rely on DTS to meet high data security demands and remain compliant with domestic and international regulations.

The challenge for the security professionals at DTS was one of scalability: company growth, an array of expensive security systems, and the increased demand of securing cloud computing applications among its customers required extensive administration and management time. To solve this problem, DTS committed itself to finding an integrated security and compliance solution capable of relieving internal resource pressures and fulfilling current and future security requirements, including cloud applications. It found that solution in McAfee’s SIEM offering, Enterprise Security Manager (ESM).

Implementing McAfee’s SIEM solution relieved pressure on the DTS Data Centre Team, which faced the challenge of processing and evaluating exponentially growing data from its cloud business model.

Today, security specialists at DTS spend roughly 50% less time on evaluation and structural management of event and system information. Security experts also receive risk-relevant, real-time information that allows shorter reaction times when threats arise. Complete audits protocols and reports for common compliance standards such as PCI-DSS, HIPAA, FISMA, GLBA, BASEL II, or SOX can be created at any time, helping DTS and its customers to ensure compliance.

With McAfee Enterprise Security Manager, DTS achieved two important goals: First, the ability to offer their customers professional services for adhering to compliance and statutory guidelines. ESM’s Hundreds of pre-installed dashboards and reports allow to more quickly and efficiently respond to the different compliance requirements of their customers. Second, rather than letting routine administration and management tasks devour time, security specialists at DTS can now spend more time to focus on innovative new services and projects for their customers.

Talking with customers during the past few months, the key topics and questions we heard were all about targeted attacks, threat intelligence, and security information and event management (SIEM). However, there seems be a myth that “once we have SIEM, we will have visibility into threats”—as if SIEM will give us all the answers. To …

Talking with customers during the past few months, the key topics and questions we heard were all about targeted attacks, threat intelligence, and security information and event management (SIEM). However, there seems be a myth that “once we have SIEM, we will have visibility into threats”—as if SIEM will give us all the answers.

To successfully deploy SIEM and benefit from its capacity and functionality, you must first lay a proper foundation. Like building a house, you don’t build it on sand, but on solid ground. The foundation is deeply anchored. Your solution needs to withstand and survive a (log and event) storm and report what you need to see.

To lay the foundation for SIEM, you must carefully review the following pillars:

Identify what to protect: critical assets

Log management

Event cases

Incident response management and capacity

Identify what to protect

In many of our engagements to build a security operations center, we’re told “everything needs to be protected.” If that’s the case, you have just decided to overflow your SIEM with tons of events. You will certainly miss the events you need to react to. We recommend first monitoring your critical assets. What are they? Those are the systems and services that are the moneymakers for your company. If they were down/lost/damaged, it would have a huge impact on you and could ruin your business, resulting in financial loss. An example of a critical asset might be your SAP or ticket-booking system.

Log management

Once you have identified the critical assets, what kind of logging is available for the systems that are involved? Is logging enabled? What is the retention policy of the log files? Are all assets in sync with regards to time, or is there an offset causing a gap during a timeline analysis of an incident?

Event cases

Once the critical assets are identified and you have an insight on the logs you’re maintaining and what log artifacts are available for those systems, you can build event cases for these systems. Think like an attacker: How would you try to access or compromise your critical assets? What would be abnormal versus normal behavior with regards to these systems? Of course, event cases need fine-tuning now and then, especially after changes have been made to your critical environment.

Incident response management and capacity

What if the fire-alert system of your house detects a fire but there is no sprinkler system and the nearest fire brigade is miles away? This is something to think about before deploying SIEM. You need procedures that define what to do if events are triggered for a critical component and, after initial analysis, escalate as an incident. Who has the capacity to respond to respond to incidents?

Deploying SIEM is not simply putting a box on the network. That’s only the technology part. What about people and processes? Preparing for a SIEM deployment requires having the right visibility of your company’s critical assets and responding in a timely matter to events. These pillars are a guide that we have successfully used in many deployments of SIEM and building a security operations center.

Think security and event management is hard from the get go? Think again. The initial set up of McAfee Enterprise Security Manager (ESM) within McAfee’s Security Information and Event Manager (SIEM) ecosystem is a breeze, and takes less than 10 minutes from start to finish. With McAfee, it’s simple: log into the ESM installation wizard …

Think security and event management is hard from the get go? Think again. The initial set up of McAfee Enterprise Security Manager (ESM) within McAfee’s Security Information and Event Manager (SIEM) ecosystem is a breeze, and takes less than 10 minutes from start to finish.

With McAfee, it’s simple: log into the ESM installation wizard with your McAfee-provided details (if you don’t have any, don’t worry: we can give you yours later on), approve the end-use license agreement, and update your default passwords. From there you can choose to set up McAfee in Federal Information Processing Standards (FIPS) mode, or as a normal account. From there you can choose to set up McAfee in Federal Information Processing Standards (FIPS) mode, or as a normal account. or in non-fips mode, since fips limits the types of data and other features of the SIEM Finally, you’ll be prompted to set up additional settings like how you’d like to — if at all — receive ICMP messages, establish pings, connect to proxy IP addresses, port settings, time synchronization, policy updates, and much moreAllow ICMP, and pings, and even connect to a proxy server if you need it.

And that’s it! After that initial setup, you’re well on your way to protecting yourself with the industry’s leading security and event management platform.

For more tips and tricks with McAfee SIEM, follow @McAfeeSIEM on Twitter, or explore our SIEM community blog to get the latest techniques to protect your organization.

On November 5, Microsoft posted Security Advisory 2896666. This vulnerability, discovered by Haifei Li of McAfee Labs, affects multiple versions of Microsoft Office, Windows, and Lync. Successful exploitation could result in the ability to execute arbitrary code on a vulnerable host (a remote code execution vulnerability).

The issue (an integer overflow) lies in the handling of maliciously crafted TIFF files. A remote attacker can potentially exploit this flaw via a specially designed email message, distribution of a malicious binary, or via a maliciously crafted web page. Successful exploitation of the vulnerability will result in the attacker’s acquiring the same user rights as the current user.

Financial fraud has a wide range of impact across a society: Providers of financial services may incur the largest losses, but the users of financial services who become victims may be hit much harder. Fraud victims range across the income scale, and even a small fraud can be catastrophic to a vulnerable member of a …

Financial fraud has a wide range of impact across a society: Providers of financial services may incur the largest losses, but the users of financial services who become victims may be hit much harder. Fraud victims range across the income scale, and even a small fraud can be catastrophic to a vulnerable member of a society. For example, the United Kingdom’s Annual Fraud Indicator 2012 report estimated losses to the financial services sector at 3.5 billion. This does not include identity fraud, which adds more than a billion to the number.

While analytics-based fraud detection has helped to stem the rapid growth of these losses, the attractiveness of the industry to fraudsters remains strong. Two criminal endeavors targeting the financial services sector, Operation High Roller and Project Blitzkrieg have been identified and researched by McAfee in 2012. The analysis of these attacks show that their sophistication has grown significantly.

The McAfee SIEM aids fraud analysts in two ways: both by enabling the combination of transaction analysis with analysis of network events, and also by bringing the products of McAfee research to identify known bad actors around the world.

Combining Fraud Analysis with Network Analysis

Current research has shown that a successful way to improve the efficiency of fraud detection, seen as unusual activity in a system, is to combine it with other measures of unusual activity, such as on a network. A useful example is combining the output of a Benford test and then some of the built-in correlation rules that identify unusual activity on a network.

Benford’s Law, informally stated, says that in certain sets of numbers, the digits 1 through 9 are not equally likely to occur. The dollar amounts of checking account transactions are an example of such a set. Fraud analysts use Benford’s law and some related formulas to identify transactions that cause the set to break the law, often indicating some form of financial fraud. Below is an example of how a Benford test is used.

While the Benford Test is a powerful tool for fraud detection, it can be limited in the insight it provides. If multiple spikes come out of a test, the fraud analyst may struggle to eliminate the ones that have a reasonable explanation, or may need additional context that the transaction amounts alone cannot provide.

The McAfee SIEM can provide correlation rules that identify unusual activity on a network by combining events from several sources such as OS logs, firewalls, databases, and even applications. Built-in rules, shipped with the product, that are valuable for fraud analysis include:

Same User Logon from Different Geolocation

Same User Logon from Different Host

Same User Logon from Different IP

Successful database logons after repeated failed logons

Successful login after suspicious activity

These rules match up well to the records of recent attacks against financial institutions.

If the output of a Benford test is setup as a custom data source, and the transaction IDs are set up as a custom datatype, then spikes in the Benford test can be correlated with the network events raised by the McAfee SIEM. This helps to both focus the response effort from security and fraud teams, and to add some needed context to the numerical data provided by fraud detection algorithms.

Combining Fraud Analysis with Threat Intelligence

McAfee lives and breathes security. In addition to teams providing tools that reduce risk for a company, other teams focus on content that makes the tools more effective. For detection of fraud, two important sources are the correlation rules created to combat specific pervasive threats, and the Global Threat Intelligence feed that identifies suspicious and malicious IP traffic based on a continuous big data analysis of worldwide traffic.

While a financial services company may have its own mature fraud detection program, any program can benefit from solid external intelligence. It may fill in missing gaps, or it may supplement existing work and allow the group to better focus its efforts. Companies using the McAfee SIEM can avail themselves of content teams who identify global threats and create correlation rules on the SIEM to detect them. One example is a recently published rule, “Project Blitzkrieg – Communication with Known Command and Control Server” to aid detection of a threat directed at the financial services sector.

In addition to correlation rules, the McAfee SIEM has a component called the Advanced Correlation Engine (ACE), which is both unique and invaluable to enhancing fraud detection. The ACE allow risk-based correlation, which goes beyond the power of real-time rule based correlation (tells you quickly what you want to know), and gives you a dynamic picture of the evolving risk at your company (tells what you didn’t know). When the GTI feed is used as an input for a risk correlation manager, your organization can gauge how much traffic from malicious sources like bot-nets or other known bad actors is directed at your organization and filter traffic so that only traffic with a malicious reputation is in the risk calculation.

You can configure the risk correlation manager to reflect business rules at your company.

Combining fraud analysis with network analysis and incorporating external intelligence are two important enhancements to detecting fraud. Each alone is a worthwhile effort for a fraud detection program; a company could choose to adopt both to gain even more benefits in its efforts to stem fraud losses. Both leverage the unique capabilities and advantages of the McAfee SIEM.

Keep up with the latest in security and fraud detection by following @McAfee_Business on Twitter

Now that 9.2 has been out for some time, it’s time to document some of the very cool things the McAfee SIEM can do. While the documentation is a must read for the how, this post is meant to bring you up to speed of the why of some advanced correlation features in 9.2. Remember, …

Now that 9.2 has been out for some time, it’s time to document some of the very cool things the McAfee SIEM can do. While the documentation is a must read for the how, this post is meant to bring you up to speed of the why of some advanced correlation features in 9.2. Remember, correlation using flows is only available in the Advanced Correlation Engine (ACE). Flows are not available in receiver-based (REC) correlation.

Let’s start by taking a look at the correlation rules:

This screen is essentially your home-base when setting up and modifying correlation rules. Notice the blue components: these are instances of the deviation component. If you look closer at the toolbar, you’ll notice an icon for the deviation component second from the right — it’s the icon containing a plus and minus sign.

When you drag that icon onto the panel and edit it, you’ll see a new window titled “Deviation Component.” This is where you can see the two biggest features in 9.2 for correlation: you can correlate on flows and events, and you can set components to fire based on deviations from the norm. Baselines have been in the product for a while, but 9.2 deviations from the baseline can be the basis of correlation rules. From a use case perspective, this enables network anomaly detection, user anomaly detection, even combinations of the two. You can also use the other components to add context or other supporting conditions, to tune out random noise and false positives.

There’s a wealth of use cases and implementation guides that we’ve published, and complied here, but it doesn’t hurt to get you up to speed on how to detect anomalous behavior. The deviation component gives you a lot of options for picking out something unusual in the stream of events, changing any of them can give you a very different means of detection. Think of one instance of one deviation component as an indicator (some call it an observable). It’s a unit of behavior, something you can capture in a sentence that can be answered with a “yes” or “no.” One example sentence would be: “An unusual increase in the amount of traffic leaving a host (outlier bytes).” This corresponds to data exfiltration in the APT killchain or an active botnet member performing its assignment. There a variety of options 9.2 possesses that you can use to detect these instances. We’ll go through the options top to bottom and talk about how they change the indicator:

Events vs. Flows: What you select depends on what data sources you need for your threat model. If you are looking for deviations in events that have a clear footprint in a log (even combinations of them) you would select events. If you were looking for anomalies in traffic (no clear footprint in a log) you would select flows. Your choice of events and flows will impact what choices are available in the the filter and deviation field options.

Filter: This is actually a second filter, but possibly the most challenging option on the component. This options filters events or flows before the deviation logic is applied. If you don’t filter these, then the deviation logic will be applied on practically all the events or flows. If you have multiple rules (who doesn’t?) using the deviation components (who wouldn’t?), you could lead yourself to a performance issue. No doubt there are some use cases that may require this. This is where looking at your indicator definition helps. My input would be that if you are not filtering these events or flows, your indicator may be a little too vague.

Deviation Type and Threshold: Similar to the features available in an alarm, these are alternatives to comparisons like equal, greater than, less than, etc. Raw value allows you to look at deviations over a specific amount, which requires you to have some analysis available that gives you those numbers. If you don’t have that, the others might be a better choice to determine “unusual.” While you can get a more detailed explanation here, you can use standard deviation for an indicator to identify when a value in a set of data falls far outside the range of expected values. What’s cool about the correlation in the SIEM is that you can group by things like source user. Now you have an indicator that tells you when a value is unusual for that user, which is much more powerful. Statistics can give you gems like “the average US family has 2.3 kids,” but the group by functionality gives you something much more meaningful and powerful. Power users would alarm on an arbitrary threshold, but they would not trigger on a deviation threshold grouped by user. Infrequent users would fall below an arbitrary average threshold, but even small changes in their usage pattern would trigger on a deviation threshold grouped by user (there is a way around this, future blog post for sure).

Besides the deviation type, you have to pick a threshold. This is a measure of how unusual the value you are looking for is in the scheme of things.

Deviation Operator: This is closely related to the deviation threshold. Standard deviations can be a symmetric thing, allowing you to go “n” standard deviations above and “n” standard deviations below. The question is: do you want that? If you are looking for unusual upticks, then you would select “Greater Than.” If you were looking for unusual downswings, you go with “Less Than.” Again, the indicator should be specific enough to make this choice a no-brainer.

Calculation Type: Differentiating these options could be an entire post or series of posts. Putting it in terms of how you implement an indicator: average per event looks the individual event for some outlier attribute picking out surges in the stream; total sum looks at buckets and picks out unusually large or small ones; cardinality tells you if you are looking at an unusual variety than an unusual number. But for now, let’s take a knee together and say that Total Sum and Cardinality are your best bets. Whether you go with one or the other depends on your indicator: if you can say something like “count” or “quantity” to describe it, go with Total Sum; if you can say something like “distinct” or “variety.” If you think of a threat model as something composed of indicators, a good threat model will have some indicators that use Total Sum, and some indicators that use Cardinality.

Deviation Field: Your choices here will be determined by whether you selected Events, Flows, or both at the top of the deviation component. This is what you measuring for unusual; since we were looking at outbound traffic (in our example of data exfiltration) destination bytes is the way to go. The work you put into the indicator should drive you to your choice of field. I can’t say that is easy, but it is made possible by defining the behavior well and knowing the data well. These are not always available at the same time, we hope to add content on our rules server to help out in this respect.

Sample Size: Statistical measures in themselves are a bit oblique in how they describe data. The key piece in making statistical measures work for threat detection is to make them time-based. By this I mean, that the time period that you choose to compare events helps you tie numbers to behavior. The time range you choose here causes the data to be put in buckets based on time and then calculations performed on them. It is key for tuning false positives. For instance, for user behavior indicators, I find that going with 7 days is a solid sample size. We aren’t robots, we don’t do the same activities the same amount every day. When you go up to a week, this smooths out. For machine behavior indicators, a week is “too smooth.” Everything will look normal over a long enough time period, go for a day or even an hour in this case. The deviation component sets the sample size, so you can and should have different sample sizes for different components in your rule. I gave the example of user vs. machine behavior, there are many other things to consider.

I have given an overview of the deviation component, and how you can use network flows with it as well. The use case drives the threat model which drives the indicators, but it helps to understand what choices you have in shaping those indicators.

Keep up with the latest in security by following @McAfeeSIEM on Twitter.

It’s always a great day when you can share something so innovative that it will surely change the game in the industry. Today, at the McAfee FOCUS 2013 conference, McAfee and my team announced the development and launch of McAfee Advanced Threat Defense – the newest addition to our Security Connected portfolio. If you read …

It’s always a great day when you can share something so innovative that it will surely change the game in the industry. Today, at the McAfee FOCUS 2013 conference, McAfee and my team announced the development and launch of McAfee Advanced Threat Defense – the newest addition to our Security Connected portfolio. If you read my post entitled, “Developing the Ultimate Defense against Advanced Malware,” I gave you a preview of what to expect in the hopes of piquing interest and raising awareness without giving away the big reveal.

At McAfee, we monitor the threat landscape and work to develop security solutions that can help organizations stay ahead of predicted threats. McAfee Labs believes that advanced malware shows no sign of changing its steady growth trajectory, which has risen steeply during the last two quarters. These threats are extremely stealthy and designed to evade detection and reside on a system for prolonged periods. As a security professional, you know that organizations can no longer rely on traditional security solutions to protect their digital assets against this strain of malware.

McAfee Advanced Threat Defense was built on the exciting technology we acquired from ValidEdge and combines sandboxing with the leading McAfee anti-malware engine, anti-virus technology, and global reputation feeds to create the market’s most complete approach to advanced malware detection. This new technology identifies sophisticated, hard-to-detect threats by running suspected malware in a “sandbox,” analyzing its behavior and assessing the potential impact the malware may have on an endpoint and a network.

Better Detection Accuracy

Advanced static code and dynamic analysis together provide the most detailed analysis and data on malware classification

Broad operating system support enables threats to be analyzed under the same conditions as the actual host profile, reducing the chances of missed malware or false positives.

Faster Response Time

Integrated solutions from McAfee quickly and seamlessly move from malware analysis and conviction to protection and resolution; a more comprehensive, efficient approach

Down selection (mix of signatures, reputation and real-time emulation) quickly identifies a broad range of malware, producing fast detection results and reducing the number of files requiring resource-intensive sandbox analysis

Lower Cost of Ownership

Centralized deployment enables multiple McAfee network devices to share the same malware analysis appliance, reducing the number of required appliances, simplifying administration and cost-effectively scaling across the network

Unlike most standalone sandboxing technology, McAfee Advanced Threat Defense finds advanced malware and works with other McAfee solutions to freeze the threat and fix impacted systems. Find. Freeze. Fix. Talk about innovation. (Oh, and they will be talking about it.)

McAfee Network Security Platform customers have benefited from malware protection for some time now. Most customers already use McAfee Global Threat Intelligence (GTI), which has been available since the 6.0 release. The largest and most used reputation service, with over 64 Billion queries per day, GTI classifies files as either good (whitelist) or bad (blacklist), …

McAfee Network Security Platform customers have benefited from malware protection for some time now. Most customers already use McAfee Global Threat Intelligence (GTI), which has been available since the 6.0 release. The largest and most used reputation service, with over 64 Billion queries per day, GTI classifies files as either good (whitelist) or bad (blacklist), and also supports gray listing through levels of file suspiciousness.

Network Security Platform release 7.5 takes network security malware protection to an unprecedented level. It starts with a vision to provide the best malware protection

Custom fingerprints – Build a local database of custom fingerprints (MD5 hashes). For example, one of our customers had almost 2000 Android 3rd party apps that they wanted to detect, and all they did was to import the customer fingerprints.

McAfee GTI file reputation – Since release 6.0, customers have had access to the largest cloud-based security intelligence network.PDF-based JavaScript emulation – Sophisticated emulation technology, which extracts JavaScript, detects shellcode in the PDF, and then alerts the system. For example, 13 out of 17 Metasploit PDF based attacks use JavaScript.

We recently made the decision to provide ALL of our new and existing McAfee Network Security Platform customers with a virtual, production-ready instance of McAfee Network Threat Behavior Analysis (NTBA). For those already familiar with NTBA, this makes a ton of sense. For those of you that aren’t, allow me to explain… McAfee Network Threat …

We recently made the decision to provide ALL of our new and existing McAfee Network Security Platform customers with a virtual, production-ready instance of McAfee Network Threat Behavior Analysis (NTBA). For those already familiar with NTBA, this makes a ton of sense. For those of you that aren’t, allow me to explain…

McAfee Network Threat Behavior Analysis (NTBA) is the perfect complement to Network IPS. Whereas traditional IPS makes inline assessments of what is happening on the network right now, NTBA provides a historical view of threat behavior over the course of days, weeks, or even months. By trending application flow information (I.e. netflow, url, file, ftp, smtp etc.), NTBA can positively identify previously undetected threats and facilitate faster event resolution. It is fully integrated with both McAfee Network Security Manager and McAfee GTI; and it provides both security and network visibility down to application level.

NTBA sits passively in the network and you can connect it directly to a monitoring port of your NSP, so deployment is very straightforward. You can also use it in network segments where you don’t have an IPS by pulling netflow data from routers and switches. This virtual instance of McAfee Network Threat Behavior Analysis is available at no extra cost to McAfee Network Security Platform customers; every McAfee Network Security Manager comes with a single virtual instance of NTBA, downloadable from the McAfee download site. If you have 5 Network Security Managers in your network, then you’re entitled to 5 virtual NTBA appliances.

And NO hidden tricks either:

Fully functional, no feature restrictions

You can run in 3 different configurations (2core/6GB, 4core/8GB, 8core/16GB) for capacity 6k flows/s to 25k flows/s.

No restrictions on routers/switches exporting netflow data.

The only restriction is that a maximum of 2 Network Security Platform exporters can send flow data to NTBA.

Considering the fact that some existing netflow analysis tools with similar throughput capacity (25k flows/sec) can go for upwards of $100K, this represents a significant value to McAfee Network Security Platform customers. But don’t just take our word for it. Please download your entitled copy today and let us know what you think in the comments below or with McAfee_Business on Twitter.

Following our acquisition of NitroSecurity last year, we have been working towards fully integrating their Security Information and Event Management (SIEM) technology into our portfolio of solutions. McAfee Enterprise Security Manager (the fruit of our combined efforts) recently received a 5-star rating from SC Magazine, and now we are proud to announce that McAfee has …

Following our acquisition of NitroSecurity last year, we have been working towards fully integrating their Security Information and Event Management (SIEM) technology into our portfolio of solutions. McAfee Enterprise Security Manager (the fruit of our combined efforts) recently received a 5-star rating from SC Magazine, and now we are proud to announce that McAfee has been named a leader in the 2012 Gartner Magic Quadrant for SIEM.

Our Strengths

Gartner’s research evaluates leading vendors who offer solutions in the SIEM marketplace based on ability to execute and completeness of vision. This includes key criteria such as the customers’ need to analyze security event data in real-time for internal and external threat management, and to collect, store, analyze, and report on log data for regulatory compliance and forensics.

We believe our position in Gartner’s Magic Quadrant illustrates how McAfee Enterprise Security Manager is really taking performance, value and strength to the next level, as at its core, our SIEM offerings are all about our unique commitment to security connected. Our ability to integrate with other key security solutions in order to deliver an autonomous and adaptive security risk management platform is one asset that sets us apart, and we’re excited to continue our innovations in this space alongside our integration partners.

But don’t take our word for it. According to SC Magazine’s 5-star review, from its powerful correlation engine to its intuitive management interface, McAfee ESM provides security event management and analysis along with forensic capability that is easy to deploy for almost any size environment.

The 2012 Gartner Magic Quadrant for SIEM:

Later this year, we’ll be releasing version 9.1 of our Enterprise Security Manager, which will include the integration of threat intelligence from McAfee Global Threat Intelligence, risk data from McAfee Risk Advisor, and asset data from McAfee Vulnerability Manager and McAfee ePolicy Orchestrator.

If you’re interested in learning more about McAfee SIEM, check out our full list of offerings and resources online. You can also join the conversation on Twitter @McAfee_business, where we’ll be hosting our monthly #SecChat on the topic of SIEM solutions on Thursday, 6/28 at 11am PT.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee at, http://mcaf.ee/samh2.[1] Gartner “Magic Quadrant for Security Information and Event Management” by Mark Nicolett and Kelly M. Kavanagh, May 24, 2012

A few weeks ago, Iran reported intensified cyberattacks on its energy sector that they observed as a direct continuation of the Stuxnet and Duqu attacks. Over the weekend, the IR Cert (Iran’s emergency response team) published a new report that describes this attack as Flame and/or Flamer. Some other news agencies also called the attack …

A few weeks ago, Iran reported intensified cyberattacks on its energy sector that they observed as a direct continuation of the Stuxnet and Duqu attacks.

Over the weekend, the IR Cert (Iran’s emergency response team) published a new report that describes this attack as Flame and/or Flamer. Some other news agencies also called the attack Viper. The complex functionality of the malware is controlled by command servers, of which there are possibly dozens. The malware is also capable of slowly spreading via USB drives.

CrySys Lab, a Hungarian security team, noticed that a complex threat it had been analyzing for weeks was clearly the same threat as Flamer. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done to analyze the full details of this malware, as it has some extraordinary complexity.

Previously, other cyberthreats such as Stuxnet and Duqu required months of analysis; this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smallest encrypted modules is more than 70,000 lines of C decompiled code, which contains over 170 encrypted “strings”!

Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.

We found publicly available reports from antispyware companies, and log files in public help forums that could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example, in March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.

Skywiper is a modular, extendable, and updateable threat. It is capable of, but not limited to, the following key espionage functions:

– Scanning network resources
– Stealing information as specified
– Communicating to control servers over SSH and HTTPS protocols
– Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
– Using both kernel- and user-mode logic
– Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
– Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
– Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
– Capable of attacking new systems over USB flash memory and local network (spreading slowly)
– Creating screen captures
– Recording voice conversations
– Running on Windows XP, Windows Vista, and Windows 7 systems
– Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
– Using SQLite database to store collected information
– Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
– Often located on nearby systems: a local network for both control and target infection cases
– Using PE-encrypted resources

To summarize, the threat shows great similarity to Stuxnet and Duqu in some of its ways of operation, yet its code base and implementation are very different, and much more complex and robust in its basic structure.

According to its program information block, the main module pretends to be written by Microsoft Corporation. It claims to be a “Windows Authentication Client” for Microsoft Windows Version 5.1 (2600 Build). Several other modules also claim to be Microsoft Windows components. However, none of the files analyzed so far are signed with a valid (or even possibly stolen) key, as it was the case with Duqu and Stuxnet.

The threat files also use the TH_POOL_SHD_PQOISNG_#PID#SYNCMTX Mutex name to identify already infected systems, a common technique in modern malware. The #PID# is the process ID of the process in which the injection of the threat occurred.

I change my name; I change my extension

The threat files can change both filenames and extensions, according to specific control server requests, as well as configuration usage. In some cases, Skywiper detects specific antivirus software. The malware might then change the extension of the executable files (DLLs) from OCX to TMP, for example. However, we have not always seen this functionality on affected systems, especially if the threat has been installed prior to the security product in question.

Skywiper’s main module is over 6MB in size, while the completely deployed set is close to 20MB. Yes, this is a lot of code for malware, but this is necessary to carry the complex libraries such as Zlib, LUA interpreter, SQLite support, custom database support code, and so on.

Encryption includes simple obfuscation like XOR with a byte value. The XOR key, 0xAE, has appeared in some other cases–showing a potential relationship to Duqu and Stuxnet, as they also used this value. However, Stuxnet and Duqu always used other values in conjunction with this byte, which included dates of possible meaning.

Other than the above, Skywiper does not show a direct relationship in its code to Stuxnet or Duqu at this point. It uses a similar yet more complex structure, which in many ways reminds researchers of these attacks. In some ways it could be a parallel project, as the early date may suggest. The attack files showed recent development in January and August 2011, according to some of the leftover date values in its files. The dates in the file headers have been purposely changed (claiming to be from 1994, etc.), but export-table date values and dates elsewhere in the files indicate 2011.

The main module of Skywiper starts via the registry, over an exported function:

Initial infections gathered by our network sensors are shown on the map below:

Generally, attackers try to conceal their presence by infecting locations unrelated to the main targets, possibly to further conceal their identity, and then use these locations as control servers. Continuing research will certainly need to take this into consideration.

McAfee antivirus products will detect and clean the threat as W32/Skywiper from infected systems. Our initial data indicates that there are multiple variants of this threat in the field.

In late 2011, the FBI released documents and data focusing on “Operation Ghost Click.” This malicious operation, leveraging a variety of DNSChanger-type malware, was defined by the FBI as an “international cyber ring that infected millions of computers.” Associated malware samples and events can be traced back several years, and multiple platforms were targeted. To this day many remain …

In late 2011, the FBI released documents and data focusing on “Operation Ghost Click.” This malicious operation, leveraging a variety of DNSChanger-type malware, was defined by the FBI as an “international cyber ring that infected millions of computers.”

Associated malware samples and events can be traced back several years, and multiple platforms were targeted. To this day many remain affected or infected and are still open to compromise.

The amount of helpful data around this issue is plentiful. Even the FBI has provided a tool to check whether your host/IP is affected.

So, fast-forward to the present: Within McAfee Labs we have been flooded with queries (forgive the DNS pun) on what will happen on March 8, and what other impacts might ripple through our environments as the FBI takes the next steps toward concluding Operation Ghost Click.

The Good News!

On March 5, a U.S. District Court in New York signed an order to extend the March 8 deadline to July 9.

This extension will allow all affected entities to continue to track down and remediate against hosts that are still compromised. Current data indicates that there are still several million infected or affected hosts worldwide.

Also, as a handy reminder, the offensive Netblocks are well documented:

67.210.0.0 through 67.210.15.255

93.188.160.0 through 93.188.167.255

77.67.83.0 through 77.67.83.255

213.109.64.0 through 213.109.79.255

64.28.176.0 through 64.28.191.255

To learn more about how to maintain your online connection and to protect against this malware family, read our new Threat Advisory: